Rupert Murdoch Firm Goes on Trial for Alleged Tech Sabotage

A lawsuit alleges that a News Corp. subsidiary hired hackers to sabotage rivals.

April 21, 2008 — -- Did a Rupert Murdoch company go too far and hire hackers to sabotage rivals and gain the top spot in the global pay-TV war?

This is the question a jury will be facing in a spectacular five-year-old civil lawsuit that is finally being tried this month in California but which has, oddly, received little notice from U.S. media.

The case involves a colorful cast of characters that includes former intelligence agents, Canadian TV pirates, Bulgarian and German hackers, stolen e-mails and the mysterious suicide of a Berlin hacker who had been courted by the Murdoch company not long before his death.

On the hot spot is NDS Group, a UK-Israeli firm that makes smartcards for pay-TV systems like DirecTV. The company is a majority-owned subsidiary of Murdoch's News Corporation. The charges stem from 1997 when NDS is accused of cracking the encryption of rival NagraStar, which makes access cards and systems for EchoStar's Dish Network and other pay-TV services. Further, it's alleged NDS then hired hackers to manufacture and distribute counterfeit NagraStar cards to pirates to steal Dish Network's programming for free.

NagraStar and one of its parent companies, EchoStar, are seeking about $101 million for damages for piracy, copyright infringement, misconduct and unfair competition. The list of witnesses in the case includes EchoStar's founder and CEO Charlie Ergen; several hackers and pirates; and Reuven Hazak, an Israeli who heads security for NDS and is a former deputy head of Shabak, or Shin Bet, Israel's domestic security agency (the equivalent of Britain's MI5).

The case, which began April 9 in the U.S. District Court's Central Division in Santa Ana, California, could conceivably result in an award of hundreds of millions of dollars, although neither side is expected to emerge unscathed from testimony that threatens to expose the messy underbelly of the high-stakes pay-TV industry.

As if to emphasize this point, U.S. District Judge David O. Carter said after the proceedings began that he was concerned that the case would hinge on testimony from known lawbreakers like hackers and pirates, who have been employed by the companies on both sides of the lawsuit. The judge urged the plaintiffs and defendant to settle rather than face potentially devastating harm to their reputations.

EchoStar wouldn't comment on the case while it's ongoing, but Jim Davis, a senior analyst with the 451 Group, a market research firm, said the company isn't likely to settle.

"It gets taken very personal when your security product has been hacked," he said. "And to have a competitor do that through, allegedly, the services of a known hacker, has got to be particularly galling to NagraStar."

As for NDS, which currently has more than 75 million access cards on the market, Davis says the company probably sees the trial as an opportunity to defend against the image that it is "simultaneously promoting a product that secures networks while working with folks that work outside the law [to break networks]."

The company said in a statement to Wired.com: "We are confident our position will be upheld at a trial."

According to court documents, the scheme began to unravel in 2000 when law-enforcement agents in Texas seized suspicious packages containing CD and DVD players stuffed with more than $40,000 in cash. Parcels similar to this were being sent almost daily from Canada, via Texas, to a hacker in California named Christopher Tarnovsky, who was working for NDS as an engineer. The money was allegedly part of the conspiracy between Tarnovsky and NDS Group to sabotage NagraStar's cards.

As laid out in the allegations, NDS' hacking is said to have begun in 1997 after its own access cards were cracked and it was at risk of losing clients like DirecTV, which was being hit hard from pirates who were selling unfettered access to its system.

But rather than deal with its security breach, NDS hired Tarnovsky and other pirates who had compromised its system to help the company hack and pirate its competitors' cards and even out the playing field, it is alleged.

In addition to Tarnovsky, the company also hired Oliver Kommerling, a hacker known for writing the primer on cracking smartcards. Kommerling has acknowledged in an affidavit that he helped NDS set up a research lab in Haifa, Israel, where NagraStar's smartcard was allegedly cracked by NDS engineers.

NDS didn't hire only hackers, however. According to EchoStar/NagraStar, it also hired a handful of other people with colorful pasts who they say had a role in hacking and pirating EchoStar/NagraStar. There was Reuven Hazak, who had been deputy head of Israel's Shin Bet during the notorious Bus 300 incident (when two Palestinian terrorists who hijacked an Israeli bus were killed in custody by a Shin Bet agent. Hazak eventually blew the whistle on the subsequent cover-up).

NDS also hired a former U.S. Navy intelligence officer named John Norris and a former Scotland Yard commander named Ray Adams. Finally, it hired a former would-be terrorist, Yossi Tsuria, who became chief technical officer of its lab in Israel. Tsuria was part of a radical group of Jewish Israelis in the 1980s that plotted to bomb the Dome of the Rock -- a shrine that sits on the Temple Mount in Jerusalem, a holy site for both Jews and Muslims.

NDS has maintained in public statements that Hazak, Norris and its other security officers were hired to help it track down hackers and pirates and get them arrested. But EchoStar and NagraStar allege that Hazak and Norris played central roles in committing hacking and piracy as well.

In late 1997, NDS researchers in Israel reportedly cracked the NagraStar card after about six months of effort, using an electron microscope.

NagraStar became aware its card was hacked in late 1998 when meeting with DirecTV to discuss the pay-TV company's desire to switch from the hacked NDS cards to NagraStar's cards. But DirecTV employees surprised NagraStar at the meeting when they informed NagraStar that its cards had also been hacked.

EchoStar/NagraStar claim that NDS, aware that DirecTV was about to abandon its cards in favor of NagraStar cards, cracked NagraStar's card to discourage DirecTV from making the switch.

After NDS cracked its rival's card, Tarnovsky and his associates allegedly created and sold counterfeit NagraStar cards through a piracy site based in Canada, among others, that allowed pirates to access Dish Network programs for free. Tarnovsky is also accused of later posting on the Canadian site the code, secret keys and instructions for hacking the microprocessor on EchoStar's access cards, allowing pirates to flood the market with even more cards. He has denied the allegations. Hazak and Norris are accused of providing Tarnovsky with the code so he could post it online, but NDS maintains this didn't happen.

According to court documents, the sabotage scheme worked remarkably well throughout 1998 and 1999 as counterfeit NagraStar cards flooded the market.

It was around this time, however, that a German hacker in Berlin known as Boris Floricic, aka Tron, disappeared while walking home from his parents' home one day. He was found several days later hanging from a belt in a park.

Among his possessions, authorities found correspondence from NDS. NDS later said it had offered Boris a job, which he had rejected. Prior to his death, Boris had obtained source code and information about hacking access cards that were being used in a German satellite TV system. His friends in the German hacker group, Chaos Computer Club, were convinced that he'd met with foul play.

Although his death was officially ruled a suicide, there were enough details around it to create suspicion. Floricic's feet were on the ground when he was found hanging, for example, and other evidence suggested that his body might have been placed in the park after he died.

During this time, NagraStar wasn't the only alleged victim of NDS hacking and piracy. In 2002, the French pay-TV service Canal Plus filed a damages suit against NDS, from which the EchoStar/NagraStar case emerged. In an affidavit from that case, Kommerling disclosed that NDS had cracked the Canal Plus cards using a method he had taught its engineers in Israel. Then, he revealed, the company instructed Tarnovsky to post the Canal Plus code on the internet.

The Canal Plus suit fizzled after its parent company, Vivendi Universal, struck a business deal with News Corporation that included a condition that Canal Plus would drop its suit against NDS. This is when EchoStar joined the litigation.

Before Canal Plus's case against NDS died, Tarnovsky indicated to the company that Reuven Hazak had given him the Canal Plus code to post it on the internet. He reportedly told the French firm he would testify in the case, but later backed out, citing fear for his life and his family.

In May 2002, two months after Canal Plus filed its suit, someone broke into the car of one of its U.K. employees and stole the hard drive from his laptop, making off with thousands of NDS documents and e-mails. EchoStar/NagraStar say the e-mails provide proof of NDS' hacking and piracy activities. NDS has suggested that the e-mails might be fabricated and has battled to keep them out of the court proceedings.

NDS has denied the lawsuit allegations. The company maintains that it was simply engaging in reverse-engineering, as any company would do to understand rivals and compete in the marketplace, but that it did not distribute cards or information about hacking NagraStar's encryption to pirates.

In an e-mail statement to Wired.com, the company took a dig at its competitor's competence and touted its superior skills.

"The hacking of EchoStar was the result of inferior technology arising from inadequate investment in research and development by [NagraStar]," said the statement. "NDS, on the other hand, invests heavily in research and development ... we reinvested over 30 percent of our revenues into R&D -- and the result is that we have zero piracy and the platforms of our customers are completely secure."

The trial is expected to last at least two more weeks.