http://www.wired.com/politics/law/news/2008/04/murdoch
By Kim Zetter
Wired.com
04.21.08
Did a Rupert Murdoch company go too far and hire hackers to sabotage
rivals and gain the top spot in the global pay-TV war?
This is the question a jury will be facing in a spectacular
five-year-old civil lawsuit that is finally being tried this month in
California but which has, oddly, received little notice from U.S. media.
The case involves a colorful cast of characters that includes former
intelligence agents, Canadian TV pirates, Bulgarian and German hackers,
stolen e-mails and the mysterious suicide of a Berlin hacker who had
been courted by the Murdoch company not long before his death.
On the hot spot is NDS Group, a UK-Israeli firm that makes smartcards
for pay-TV systems like DirecTV. The company is a majority-owned
subsidiary of Murdoch's News Corporation. The charges stem from 1997
when NDS is accused of cracking the encryption of rival NagraStar, which
makes access cards and systems for EchoStar's Dish Network and other
pay-TV services. Further, it’s alleged NDS then hired hackers to
manufacture and distribute counterfeit NagraStar cards to pirates to
steal Dish Network's programming for free.
NagraStar and one of its parent companies, EchoStar, are seeking about
$101 million for damages for piracy, copyright infringement, misconduct
and unfair competition. The list of witnesses in the case includes
EchoStar's founder and CEO Charlie Ergen; several hackers and pirates;
and Reuven Hazak, an Israeli who heads security for NDS and is a former
deputy head of Shabak, or Shin Bet, Israel's domestic security agency
(the equivalent of Britain's MI5).
The case, which began April 9 in the U.S. District Court's Central
Division in Santa Ana, California, could conceivably result in an award
of hundreds of millions of dollars, although neither side is expected to
emerge unscathed from testimony that threatens to expose the messy
underbelly of the high-stakes pay-TV industry.
As if to emphasize this point, U.S. District Judge David O. Carter said
after the proceedings began that he was concerned that the case would
hinge on testimony from known lawbreakers like hackers and pirates, who
have been employed by the companies on both sides of the lawsuit. The
judge urged the plaintiffs and defendant to settle rather than face
potentially devastating harm to their reputations.
EchoStar wouldn't comment on the case while it's ongoing, but Jim Davis,
a senior analyst with the 451 Group, a market research firm, said the
company isn't likely to settle.
"It gets taken very personal when your security product has been
hacked," he said. "And to have a competitor do that through, allegedly,
the services of a known hacker, has got to be particularly galling to
NagraStar."
As for NDS, which currently has more than 75 million access cards on the
market, Davis says the company probably sees the trial as an opportunity
to defend against the image that it is "simultaneously promoting a
product that secures networks while working with folks that work outside
the law [to break networks]."
The company said in a statement to Wired.com: "We are confident our
position will be upheld at a trial."
According to court documents, the scheme began to unravel in 2000 when
law-enforcement agents in Texas seized suspicious packages containing CD
and DVD players stuffed with more than $40,000 in cash. Parcels similar
to this were being sent almost daily from Canada, via Texas, to a hacker
in California named Christopher Tarnovsky, who was working for NDS as an
engineer. The money was allegedly part of the conspiracy between
Tarnovsky and NDS Group to sabotage NagraStar's cards.
As laid out in the allegations, NDS' hacking is said to have begun in
1997 after its own access cards were cracked and it was at risk of
losing clients like DirecTV, which was being hit hard from pirates who
were selling unfettered access to its system.
But rather than deal with its security breach, NDS hired Tarnovsky and
other pirates who had compromised its system to help the company hack
and pirate its competitors' cards and even out the playing field, it is
alleged.
In addition to Tarnovsky, the company also hired Oliver Kommerling, a
hacker known for writing the primer on cracking smartcards. Kommerling
has acknowledged in an affidavit that he helped NDS set up a research
lab in Haifa, Israel, where NagraStar's smartcard was allegedly cracked
by NDS engineers.
NDS didn't hire only hackers, however. According to EchoStar/NagraStar,
it also hired a handful of other people with colorful pasts who they say
had a role in hacking and pirating EchoStar/NagraStar. There was Reuven
Hazak, who had been deputy head of Israel's Shin Bet during the
notorious Bus 300 incident (when two Palestinian terrorists who hijacked
an Israeli bus were killed in custody by a Shin Bet agent. Hazak
eventually blew the whistle on the subsequent cover-up).
NDS also hired a former U.S. Navy intelligence officer named John Norris
and a former Scotland Yard commander named Ray Adams. Finally, it hired
a former would-be terrorist, Yossi Tsuria, who became chief technical
officer of its lab in Israel. Tsuria was part of a radical group of
Jewish Israelis in the 1980s that plotted to bomb the Dome of the Rock
-- a shrine that sits on the Temple Mount in Jerusalem, a holy site for
both Jews and Muslims.
NDS has maintained in public statements that Hazak, Norris and its other
security officers were hired to help it track down hackers and pirates
and get them arrested. But EchoStar and NagraStar allege that Hazak and
Norris played central roles in committing hacking and piracy as well.
In late 1997, NDS researchers in Israel reportedly cracked the NagraStar
card after about six months of effort, using an electron microscope.
NagraStar became aware its card was hacked in late 1998 when meeting
with DirecTV to discuss the pay-TV company's desire to switch from the
hacked NDS cards to NagraStar's cards. But DirecTV employees surprised
NagraStar at the meeting when they informed NagraStar that its cards had
also been hacked.
EchoStar/NagraStar claim that NDS, aware that DirecTV was about to
abandon its cards in favor of NagraStar cards, cracked NagraStar's card
to discourage DirecTV from making the switch.
After NDS cracked its rival's card, Tarnovsky and his associates
allegedly created and sold counterfeit NagraStar cards through a piracy
site based in Canada, among others, that allowed pirates to access Dish
Network programs for free. Tarnovsky is also accused of later posting on
the Canadian site the code, secret keys and instructions for hacking the
microprocessor on EchoStar's access cards, allowing pirates to flood the
market with even more cards. He has denied the allegations. Hazak and
Norris are accused of providing Tarnovsky with the code so he could post
it online, but NDS maintains this didn't happen.
According to court documents, the sabotage scheme worked remarkably well
throughout 1998 and 1999 as counterfeit NagraStar cards flooded the
market.
It was around this time, however, that a German hacker in Berlin known
as Boris Floricic, aka Tron, disappeared while walking home from his
parents' home one day. He was found several days later hanging from a
belt in a park.
Among his possessions, authorities found correspondence from NDS. NDS
later said it had offered Boris a job, which he had rejected. Prior to
his death, Boris had obtained source code and information about hacking
access cards that were being used in a German satellite TV system. His
friends in the German hacker group, Chaos Computer Club, were convinced
that he'd met with foul play.
Although his death was officially ruled a suicide, there were enough
details around it to create suspicion. Floricic's feet were on the
ground when he was found hanging, for example, and other evidence
suggested that his body might have been placed in the park after he
died.
During this time, NagraStar wasn't the only alleged victim of NDS
hacking and piracy. In 2002, the French pay-TV service Canal Plus filed
a damages suit against NDS, from which the EchoStar/NagraStar case
emerged. In an affidavit from that case, Kommerling disclosed that NDS
had cracked the Canal Plus cards using a method he had taught its
engineers in Israel. Then, he revealed, the company instructed Tarnovsky
to post the Canal Plus code on the internet.
The Canal Plus suit fizzled after its parent company, Vivendi Universal,
struck a business deal with News Corporation that included a condition
that Canal Plus would drop its suit against NDS. This is when EchoStar
joined the litigation.
Before Canal Plus's case against NDS died, Tarnovsky indicated to the
company that Reuven Hazak had given him the Canal Plus code to post it
on the internet. He reportedly told the French firm he would testify in
the case, but later backed out, citing fear for his life and his family.
In May 2002, two months after Canal Plus filed its suit, someone broke
into the car of one of NDS' British employees and stole the hard drive
from his laptop, making off with thousands of NDS documents and e-mails.
EchoStar/NagraStar say the e-mails provide proof of NDS' hacking and
piracy activities. NDS has suggested that the e-mails might be
fabricated and has battled to keep them out of the court proceedings.
NDS has denied the lawsuit allegations. The company maintains that it
was simply engaging in reverse-engineering, as any company would do to
understand rivals and compete in the marketplace, but that it did not
distribute cards or information about hacking NagraStar's encryption to
pirates.
In an e-mail statement to Wired.com, the company took a dig at its
competitor's competence and touted its superior skills.
"The hacking of EchoStar was the result of inferior technology arising
from inadequate investment in research and development by [NagraStar],"
said the statement. "NDS, on the other hand, invests heavily in research
and development ... we reinvested over 30 percent of our revenues into
R&D -- and the result is that we have zero piracy and the platforms of
our customers are completely secure."
The trial is expected to last at least two more weeks.
_______________________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss
Comments