Breaking the pay-TV code-breakers -Australian Financial Review
NewsMan
http://afr.com/premium/commentopinion/2002/04/15/FFXDVLLSZZC.html
Breaking the pay-TV code-breakers
Apr 15
Neil Chenoweth
The real drama unfolded unnoticed on this happiest of days, half a world
away. It was March 27, 1999, and in Australia all eyes in the media were
focused on the Murdoch family property Cavan, near Canberra, where as rain
fell steadily, Lachlan Murdoch married Sarah O'Hare.
With Rupert and Anna Murdoch in the last throes of an acrimonious divorce,
most attention was on the awkward family groupings.
What no-one at Cavan knew was that, on the other side of the world in
British Columbia, where it was still March 26, a Canadian hacker called
Allen Menard was posting a computer file on his website, DR7.com.
Three years later that file, titled Secarom.zip, is a $US3 billion ($5.6
million) headache for the Murdochs. The multibillion-dollar question is,
where did Menard get the file?
French media group Canal Plus says the answer lies somewhere in the records
of NDS Group, a technology outfit that must have one of the most colourful
and bizarre histories of any listed company.
On March 12 this year, three weeks after Lachlan joined his brother James on
the board of NDS (in which News Corp has a 78.8 per cent stake), Canal Plus
lodged a lawsuit against the company in the California District Court
seeking triple damages from losses of $US1 billion - all from that
Secarom.zip file on Al Menard's website.
NDS chief executive Abe Peled strenuously denies the Canal Plus claims.
"This is not the suit of a cheated business seeking protection from piracy,"
NDS has told the court. "It is an attempt by an inept competitor to shift
the blame for its incompetence, to damage its skilled competitor behind the
shield of litigation privilege and to extract an unfair price in merger
negotiations."
In many ways NDS is an accident of history. It grew out of a crash program
in Israel to provide an encryption program for News Corp's Sky satellite
service in Britain.
In November 1988, five months after Rupert Murdoch had announced he was
launching a British satellite service called Sky, rival BSB Holdings ran a
full-page ad in the US magazine Variety urging studios not to sell movie
rights to Sky: "Dear Hollywood, don't let Rupert feed your product to the
pirates."
Australian consultant Bruce Hundertmark convinced Murdoch to use an unproved
Israeli encryption company, News Datacom (later renamed NDS), which
Hundertmark had badgered Murdoch to set up nine months before, to encrypt
the Sky signal.
The technology worked, but by 1991 the company was headed in Israel by an
American-Israeli entrepreneur, Michael Clinger, who was a fugitive, on the
run from an arrest warrant in New York. News Corp eventually forced Clinger
out.
In the mid-1990s, NDS ran into two problems. The first was that pirates had
cracked its smartcard code.
The NDS Videoguard system was based on an encryption algorithm developed by
Professor Adi Shamir, one of the fathers of modern-day cryptology. But
according to a former employee, for cost reasons the early cards did not
carry the entire algorithm. This oversight allowed British video pirates to
break the code. By 1994 there was a thriving piracy trade in counterfeit
BSkyB smartcards.
Soon after, in early 1995, NDS executives discovered they had a second
problem: Clinger, the man they thought they had got rid of in 1992, had
pulled off an international fraud that had cost NDS $US19 million.
News Corp launched a massive worldwide investigation into Clinger's affairs,
co-ordinated by British detective agency Argen Ltd and supervised by News
Corp legal counsel Arthur Siskind. In 1996 News sued Clinger.
The exchanges with Clinger became acrimonious. The court heard claims of
death threats.
Then in October 1996 Israeli tax officers raided the NDS offices in Israel,
acting on claims by Clinger that NDS was evading tax.
Five months later, Israeli police interrogated NDS chief executive Abe Peled
for 16 hours over tapes of bugged telephone conversations the tax officers
had found in his office.
Police also interrogated Reuven Hazak, the former deputy head of Shin Bet,
the Israeli internal security service, who ran a private detective agency
called Shaffron, which was working for NDS in the Clinger investigation.
No charges were laid and both men claimed Clinger had planted the tapes.
NDS later paid a $US3 million no-blame settlement to the tax men.
Hazak subsequently became security chief for NDS in Israel.
It was in 1996, when the investigation into Clinger was at its height and
News Corp had learned the advantages of covert intelligence, that NDS
quietly set up its own covert operation aimed at the pay-TV pirates.
Besides Hazak in Israel, NDS hired Chris Morris as US director of special
projects. Morris was a former army counter-intelligence officer who had run
sting operations in North America for General Instruments to jail cable-TV
pirates.
In the UK, NDS later hired former Scotland Yard commander Ray Adams as
director of security for NDS in Britain, after he was cleared by two
inquiries into his links with criminal figures whom he had used as
informants.
There was a second, secret arm to the NDS strategy. It was to put a group of
hackers on the NDS payroll. It was known as the Swiss Cheese Group.
Apparently NDS believed in this way it could keep abreast of developments in
the hacking world. It also tapped the hackers' expertise to test its own
products, and those of its rivals.
Germany was the most fruitful recruiting ground, among hackers associated
with the Kaos Computer Club. NDS tried for two years to recruit its most
famous member, Boris Floricic, a brilliant German hacker known as Tron.
In October 1998, Floricic's body was found hanging from a tree in a Berlin
park, with both feet on the ground.
"We're always looking for excellent engineers, and we contacted him with a
view to employing him as a consultant," NDS spokesperson Margot Field told
The Guardian newspaper in December 1998.
Among Floricic's papers, his father found an NDS invoice dated July 12,
1998, which read: "Hello Boris, here are the analog devices, good luck."
Police say many companies tried to recruit Floricic. They concluded he
committed suicide.
Floricic had published a paper about hacking, or reverse-engineering,
smartcards with Marcus Kuhn, a student at the University of Erlangen in
Germany (now at Cambridge), who ran a user group called TV-Crypt.
In 1999 Kuhn co-wrote with another young hacker, Oliver Kommerling, what
became one of the standard texts on how to reverse-engineer a
state-of-the-art smartcard, titled Design Principles for Tamper Resistant
Smartcards, using acid treatments, microscopic probes, laser cutting, ion
beam manipulation and other techniques.
Kommerling says he has worked as a consultant for NDS since mid-1996,
helping set up the NDS Matam Centre research facility in Haifa by early
1997, and recruiting and training all the Matam engineers.
Another NDS recruit in April 1996 was a young hacker living in Germany,
Christopher Tarnovsky.
The Australian Financial Review has located two 1995 postings to a UK
Internet bulletin board which are signed Christopher Tarnovsky. They have an
e-mail address from a US army base in Germany and ask for help hacking a
D2Mac encryption chip: "I own a copy of the Black Book and have disassembled
the code for dual & single chip but still am a little confused ..."
Several hours later, he repeated the appeal: "Can anybody out there explain
the EuroCrypt M/S packet structure a little bit to me!??! I have the source
to single/dual chip version but the packets structure etc is still UNKNOWN!
... I have the Black Book. That's not enough though."
Another hacker who knew Tarnovsky through Kuhn's TV-Crypt user group and
ended up doing consulting work was Jan Saggiori, in Geneva. In 1996 Saggiori
introduced Tarnovsky to a Canadian - Menard - who ran a piracy website
called DR7, and later to another Swiss-based hacker, Vesselin Ivanon
Nedeltchev, known as Vesco.
Saggiori says in his affidavit that he believed Vesco was working directly
for Reuven Hazak at NDS in Israel last year.
NDS found its biggest problem was in North America, where it provided
smartcards for DirecTV, the satellite broadcaster owned by General Motors.
NDS went hard after pay-TV pirates based in Canada.
Simultaneous raids by the Royal Canadian Mounted Police, US Customs and the
FBI in November 1996 saw 60 people arrested for video piracy, but
convictions were hard to come by. Canadian courts found it was not illegal
for Canadians to pirate the US DirecTV signal, which by law could not be
sold in Canada.
By 1998, DirecTV's problems with piracy were so severe that it issued a
formal notification to NDS that it was reconsidering its encryption system
and examining its rival, NagraStar, owned by the Swiss Kudelski group, used
by Echostar.
At that time Nagra was also hit by a wave of piracy. The hacking community
is full of finger pointing, and Nagra was told by some dealers that NDS had
released Nagra's source code, which was published on DR7.com. Tarnovsky, who
now lived in California, and his friend Menard fell under suspicion.
Last May Echostar security officers used an associate of Menard's, Sean
Quinn, to meet Menard in a hotel room in Vancouver, where they urged him to
become a witness against NDS and Tarnovsky.
But Menard vigorously denied that Tarnovsky had provided him with Nagra
code. No further action was taken.
Friction also arose in Britain, with internet speculation that NDS was
linked to a piracy site, hoic.com, also known as the House Of Ill Compute,
which helped hackers make counterfeit smartcards for ITV Digital, a rival of
BSkyB which uses the Canal Plus system.
NDS has confirmed that UK security chief Adams paid several thousand pounds
into the personal bank account of the man who ran the site. Adams says he
was not aware the Canal Plus software codes were on the site.
Meanwhile, Canal Plus Technologies was also investigating how pirates had
been able to flood the market in Italy with counterfeit smartcards in late
1999. By mid-2001 Canal Plus's head of security, Gilles Kaehlin, believed he
had tracked the leak down to a file posted on DR7 on March 26, 1999.
Earlier that month, Rupert Murdoch had met Jean-Marie Messier of Vivendi
Universal, the controlling shareholder in Canal Plus. But talks to merge
BSkyB with Canal Plus had broken down.
News had been planning to invest in Italian pay-TV operation Stream SpA.
Vivendi had been anxious that News stay out of Italy, to avoid competition
with the Canal Plus pay-TV arm, Telepiu.
In an affidavit filed in the Canal Plus court case, Kommerling, who now runs
a security consultancy called ADSR, which is 40 per cent owned by NDS, said
in early 1999 he was given a copy of a written summary of the Canal Plus
code which had been extracted from a Canal Plus smartcard by the NDS
laboratory in Haifa.
He later recognised the code file posted on the DR7 site as the same file.
NDS employees told him the file had been supplied to DR7.
The file was posted on DR7 with a Readme text file which said in part, "This
file has been downloaded from www.DR7.com ... We ask for nothing in return
but a simple acknowledgment and thanks and those who redistribute as their
own without reference to the source are true losers."
In a second affidavit, Saggiori said when he downloaded the code from DR7
that weekend, part of the code was lost in the transfer. He asked Tarnovsky
if he could obtain the missing file from Menard at DR7.
Saggiori's affidavit includes a printout of an e-mail which he says
Tarnovsky sent him with the missing binary file on March 28 as an
attachment. It read: "Good news from up north here. Enjoy, keep for you
please ... extremely top secret!"
By the middle of last year, Canal Plus says it had narrowed the source of
its pirated smartcards to the DR7 file, but didn't know how it got there,
when Kaehlin, the Canal Plus security chief, met Tarnovsky in London on
August 15. On October 5 Kaehlin flew to California to meet Tarnovsky at his
home in Carlsbad.
In his affidavit filed in the Californian District Court, Kaehlin said
Tarnovsky spoke of leaving NDS, but said it would be "extremely difficult
for him to leave NDS because he was afraid of certain NDS employees".
However, in what Kaehlin says was a "non-verbal method of communication",
Tarnovsky said NDS was responsible for the publication of the Canal Plus
code and that the code had been sent to him by Reuven Hazak via John Norris.
Kaehlin says in his affidavit that he met Tarnovsky again in Santa Monica on
December 16, when Tarnovsky told him "he would tell the truth to the court
if he were called to testify but that he would not be the whistleblower on
NDS illegal activities, because he feared too much for his life and that of
his family".
In early January 2002, Tarnovsky sent Kaehlin a brief e-mail saying he did
not want to talk to him any more.
Norris in his affidavit says he has never had possession of a file titled
Secarom.zip, and denies all of the Canal Plus claims. He says Tarnovsky also
denied to him that he had supplied the file to DR7.
NDS chief executive Abe Peled also denies the claims and links the lawsuit
to an attempt to extort a higher price in talks to merge Canal Plus
Technologies and NDS.
The colourful claims by Canal Plus are yet to be tested in court by
cross-examination by the NDS lawyers. Even if Tarnovsky did supply code to
DR7, which is yet to be proved, the Canal Plus case must prove that he was
instructed to do so by NDS management. Otherwise he would be just another
rogue employee.
The case returns to court on Thursday.