Sabotage in a Few Clicks
In the popular imagination, a computer hacker is on the fringes of society--either a brilliant but misguided teenager or a solitary, disaffected adult. He’s more interested in showing off his skills than benefiting from them. He values havoc over money.
Canal Plus Technologies, a leading maker of the smart cards that control satellite television signals in people’s homes, went searching three years ago for just such a troublemaker.
Millions of Europeans were buying counterfeit Canal Plus smart cards on the black market and inserting them in their set-top boxes, instantly getting free access to premium channels that carry soccer games and adult movies. In Italy, there were as many as three freeloaders for every legitimate customer.
Canal Plus, a division of French entertainment conglomerate Vivendi Universal, learned that the code controlling the cards had been posted on a Canadian Web site specializing in the secrets of digital technology. Using the code as a blueprint, it was relatively simple for counterfeiters to make cards.
But who had actually cracked the code that Canal Plus had spent $35 million developing in total secrecy? The firm’s investigation ultimately led not to some maladjusted youth or embittered ex-employee but to an entire company.
Not just any company, either. Behind the hack, Canal Plus says, it was shocked to find NDS Group, a competing smart-card developer largely owned by Rupert Murdoch’s global entertainment conglomerate, News Corp.
According to a lawsuit Canal Plus filed in U.S. District Court in San Francisco in March, NDS sought to dominate the smart-card market by driving a wedge between Canal Plus and its customers. Canal Plus claims a billion dollars in damages.
NDS, which was co-founded in Israel and run for several years by a fugitive from U.S. law enforcement, has denied the charges, calling the suit “an attempt by an inept competitor to shift the blame for its incompetence.â€
The hacking has altered the global media industry. The counterfeit cards may have played a role in the downfall of Vivendi former Chief Executive Jean-Marie Messier. They also brought about the near-ruination of Vivendi’s prized Italian satellite system, propelling it to the auction block in early June. News Corp. promptly struck a deal to buy it.
The case marks the biggest and most sensational accusation yet of corporate cybercrime, a shadowy, unsavory and increasingly popular activity, experts say.
Corporations and organizations looking for an edge find hacking irresistible and all too easy.
“It’s possible to wreak havoc on a competitor today in a way that it wasn’t before,†said high-tech consultant Sean Badding. “It’s only a few clicks of the mouse from legal to illegal.â€
A long-running Silicon Valley case illustrates how “a few clicks†can undermine and even potentially destroy a company.
Seven years ago, Cadence Design Systems, a maker of design software for integrated circuits, sued Avant Corp., claiming it had stolen its programs. A subsequent criminal case, brought by a determined San Jose prosecutor, led to verdicts last year against seven current and former Avant employees, including the chief executive and three founders. Five received jail sentences.
For years, however, Avant was on the offensive, asserting that Cadence was merely a lame competitor. It was an argument that proved surprisingly effective. “We had a lot of pressure from people in the electronics industry saying, ‘Get over it, crybaby,’ †said Cadence general counsel Smith McKeithen.
Fears of being labeled a loser lead a lot of companies to hush up about sabotage. And even when they’re willing to go public, the prosecution record is “disappointing,†said Bill Boni, coauthor of a forthcoming report from the American Society for Industrial Security on “trends in proprietary information loss.â€
“From information theft to manipulating and destabilizing competitors, espionage and sabotage are getting worse,†said Boni, chief information security officer at Motorola Inc. “But catching the culprits is hard. If the FBI didn’t catch [former agent and admitted spy] Robert Hanssen stealing counterintelligence documents, how do you think corporations are going to find someone digitally plundering their crown jewels?â€
At its most basic, corporate espionage is a search for competitive information. At Princeton University, the director of admissions recently was caught hacking into a Yale University Web site that let prospective students know whether they had been admitted.
In 1999, Internet bookseller Alibris paid $250,000 to resolve federal charges that it had unlawfully intercepted thousands of e-mail messages to its customers from online bookseller Amazon.com. Many of Alibris’ customers were booksellers themselves; knowing what they were buying from Amazon could provide Alibris a better understanding of the market.
Although companies can put some rudimentary defenses in place, for the most part they are helpless against the type of hacking in these cases. As for corporate sabotage, which is what Canal Plus is alleging, there’s literally no defense.
“A lot of people look at computer security and say, ‘Give me the answer. Tell me what will make these problems go away,’ †said consultant Bruce Schneier. “And I say, ‘Nothing.’ â€
Lauren Weinstein, co-founder of People for Internet Responsibility, an advocacy group, said it is a mistake to look for a technological solution to sabotage.
“It seems to me to be purely an ethical question,†he said. “We’re going to have to rely on the better part of human nature.â€
Noting that newspapers are overflowing with stories about corporate executives who lied and looted, Weinstein acknowledged, “Unfortunately, that’s not always a lot to count on.â€
A Colorful History
A smart card, about the size of a credit card, has an embedded chip with a central processing unit and memory cells. Basically, it is a tiny portable computer. That makes it perfect for controlling access to digital television, which is beamed encrypted from satellites.
The smart card slips into the set-top box that converts the digital signal, unscrambling it and acting as a sort of gatekeeper for the programming content. A smart card, for instance, will record what pay-per-view program a subscriber watches and transmit that information over a phone line to the billing office.
About 80 million TVs worldwide use smart-card technology. A third of the cards come from NDS Group, a company with a colorful history.
“NDS is all about the business of keeping secrets,†said Neil Chenoweth, author of a biography of Rupert Murdoch that will be published this fall. “For most of its history it has existed in a legal and tax sense somewhere between Hong Kong, London, Jerusalem and Grand Cayman. But what happens if the secret side of an organization gets out of control?â€
News Corp. funded the Israeli start-up in 1988 with vague hopes of profiting from its encryption technology. When Murdoch realized that his new British satellite television service would be endlessly pirated without adequate safeguards, NDS, then called News Datacom, proved its worth almost immediately.
NDS was run by a young English-born entrepreneur named Michael Clinger, a onetime bank credit analyst in New York who became chief executive of a small medical laser company. The Securities and Exchange Commission brought fraud charges against that firm, which Clinger settled in 1986. He then decided to emigrate to Israel. In 1990, a U.S. grand jury indicted Clinger on 51 counts of fraud, conspiracy and insider trading, all relating to the laser company.
Whether Murdoch knew that one of his crucial divisions was being run by an international fugitive remains unclear. Even after relations between Clinger and News Corp. soured, Chenoweth writes in his book, “It wasn’t in News Corp.’s interest for Clinger to be arrested.†An NDS spokeswoman declined to discuss the issue, calling it “ancient history.â€
In 1992, Murdoch bought out Clinger’s interest in NDS and got rid of him. Or thought he did. Clinger still secretly controlled the manufacturing company that made the smart cards for NDS, which gave him a direct pipeline into his former company.
Matters spiraled out of control, according to several news accounts, when Clinger’s ex-wife, a former swimsuit model, got involved with NDS’ former chief financial officer. Apparently for revenge, Clinger turned him in for alleged evasion of personal income taxes. Apparently for revenge, the chief financial officer told News Corp. officials that Clinger hadn’t gone away as they thought.
News Corp. sued Clinger for fraud in 1996, saying he was inflating the costs of each card he sold to NDS. Clinger fought back by telling the Israeli tax authorities that they should check NDS’ books. Seventy-five inspectors raided the NDS offices. Eventually, News Corp. paid $3 million to the Israeli tax authorities, saying it wanted to “terminate the uncertainties and the exaggerated rumors†that the case had been spawning.
In an NDS safe, the tax inspectors found something not so simply dealt with: numerous tapes of conversations between Clinger and his lawyers long after he had left NDS. News Corp. denied that it had done any wiretapping of its former executive and asserted that the tapes had been planted by Clinger to frame NDS.
The fraud case, argued in an English court, went badly for Clinger, ending in 1998 with a judgment that he was “a skillful liar†who owed News Corp. and NDS nearly $50 million--a judgment that has not been paid.
By the late 1990s, as the world moved toward digital entertainment, investors figured that a company selling encryption devices would be a big winner. Late in 1999, News Corp. sold 20% of NDS to the public. Within a few months, the value of the company exceeded $5 billion. Among NDS’ big clients were News Corp.’s British Sky Broadcasting Group and DirecTV, a leading U.S. satellite TV operator.
As NDS’ stock was peaking, Vivendi was having massive problems with piracy. The smart cards made by its Canal Plus division powered 12 million set-top boxes, mostly for European television systems owned by its parent.
In Italy, for instance, Canal Plus technology was used by Telepiu, a digital system controlled by Vivendi. News Corp. controlled the competing platform, Stream.
As the companies fought for a commanding lead, their losses mounted. The biggest financial drain for Telepiu was freeloaders. When a new subscriber was buying a satellite dish and set-top box, the vendor would often sweeten the deal by telling the subscriber whom to call for a cheap counterfeit card.
Telepiu canceled its contracts with a quarter of its vendors, but that did little to stem the tide of piracy.
Frustrated, Canal Plus began to track the problem to its source. There were so many counterfeit cards, not only in Italy but elsewhere, that the company was facing claims from its clients for compensation. Competitors were pointing out that Canal Plus couldn’t guarantee the integrity of its system, an alarming charge to make against a security company. Full-scale disaster loomed.
Canal Plus’ investigation ultimately yielded a date, March 26, 1999, and a Canadian Web site, DR7.com. It was then and there, Canal Plus says, that its secret code was revealed for the world’s counterfeiters to see and exploit.
But someone had to crack the code in the first place. Canal Plus maintains that this would have been very difficult. In the first three years it sold the cards, it says, they were never successfully hacked on a widespread basis.
Further investigation, Canal Plus says in its suit, led to Haifa, Israel, and the NDS lab. There, Canal Plus alleges, NDS engineers spent part of 1997 and all of 1998 in a $5-million effort to crack the cards and extract the software code, using such techniques as microprobing, laser cutting and focused ion-beam manipulation.
Allegations that the Haifa lab had extracted the code came from Oliver Kommerling, a consultant whose company, Advanced Digital Security Research, was partly owned by NDS.
“These efforts and the results were put into a written document and circulated among some NDS employees,†Kommerling stated in a court declaration, adding that he also had a copy of it.
Canal Plus even believed it had found an NDS employee who posted the code on the Internet.
The director of security for Canal Plus Technologies, Gilles Kaehlin, said in a court filing that he had met with Christopher Tarnovsky, an NDS employee at its U.S. headquarters in Newport Beach whom he identified as “a well-known ‘pirate’ within the hacker community.†Using a “nonverbal method of communication,†Tarnovsky admitted sending the code to the DR7 Web site, Kaehlin alleged.
Why Tarnovsky should so readily incriminate himself is unclear, but Kaehlin added that the hacker indicated he might switch sides.
“He promised me that he would tell the truth to the court if he were called to testify but that he would not be the ‘whistle-blower’ on NDS’ illegal activities, because he ... feared too much for his life and that of his family,†Kaehlin said in the declaration.
In its lawsuit, Canal Plus accuses NDS of unfair competition, flouting copyright, racketeering and violating the Digital Millennium Copyright Act, which criminalizes the cracking of encryption devices in order to circumvent them.
The case was filed as the satellite TV companies, if not winning against hackers, at least seemed to be fighting them to a draw. But the Canal Plus suit undermined any notion of progress against pirates.
“If you have one of the largest media companies in the world actively working against the copyright holders, the digital future doesn’t have a prayer,†said Chenoweth, the Murdoch biographer. “This suit is really about the future shape of the media industry.â€
NDS not only denied any involvement in the hack, it offered to the court some theories about what really happened. Canal Plus cards were hacked long before any code was posted to DR7.com, NDS said. They were vulnerable because they were junk, it added.
Here is what really transpired, NDS says: Four months before the suit was filed, Canal Plus approached NDS about a merger. At the same time, it privately accused NDS of compromising Canal Plus’ smart cards.
The accusation, NDS says, was an extortion attempt: Canal Plus would go public with the charge unless NDS paid an “outrageous†acquisition price. Now that the merger negotiations had fallen apart, Canal Plus was merely doing what it threatened. NDS was the victim here, not the villain.
Almost as an aside, NDS wondered on what grounds it was being sued. Why, it asked, does “United States law govern the actions of engineers in Israel employed by an English company to reverse-engineer the [code] in a smart card created by and for a French company� It asked the judge to drop the case.
Court Skirmishes
NDS might have said the Canal Plus suit was without merit, but its stockholders fled. On March 12, the day the suit was filed, NDS shares plunged 25%. It closed Wednesday at $9.87, up 57 cents, on Nasdaq.
In early court skirmishes, Canal Plus maintained that the case was so “clear-cut and shocking†that it warranted the unusual legal step of expedited discovery.
Then, at the beginning of the summer, Vivendi, Canal Plus’ debt-laden parent, began to fall apart. To raise money, it had to shed assets. First on the block was its Italian pay-TV division, Telepiu.
If the need for a sale wasn’t a surprise, the prospective buyer was one that Canal Plus executives must have found galling: their hated foe, News Corp.
One condition was attached to the purchase: Drop the suit.
After Vivendi CEO Messier was forced out on July 1, the company also sought a buyer for Canal Plus Technologies. At one point, NDS Chief Executive Abraham Peled told a British newspaper that he was interested. “It’s all a question of the right price,†he said.
The ending might almost have been foretold from the beginning. First pirates had destroyed Canal Plus and Telepiu. Now News Corp. had a chance to pick up the pieces on the cheap. When the deals were done, it would have no satellite competition in Italy and only one remaining smart-card rival, the Swiss Kudelski Group.
If Vivendi had fewer counterfeiters, one observer said, Messier might have avoided seeing the dismemberment of his company, the loss of his job and the triumph of Murdoch.
“When you make a [revenue] forecast and it’s not reached because you have a piracy rate of 35% instead of 10%, it means you’re not reliable,†said Davide Rossi, secretary general of the European Assn. for the Protection of Encrypted Works and Services, a trade group that both Canal Plus and NDS belong to. “Your partners may not be willing to support your other provisions.â€
The Telepiu sale has not gone through. Neither has any deal been announced for Canal Plus. As a result, the lawsuit has come back to life. On Aug. 15, U.S. District Judge Vaughn Walker slightly narrowed the case but declined to either move it or drop it, as NDS wanted.
Despite Canal Plus’ assertions about how “no person or company is above the law,†legal experts and industry sources close to the case say its interest is more tactical than ethical. When the suit’s utility as a bargaining chip is over, they expect it to disappear.
Meanwhile, Kommerling, the consultant whose company is partly owned by NDS, has paid a price for coming forward with allegations against NDS.
Within hours after NDS saw his critical declaration, Kommerling was locked out of his offices, which adjoin the NDS headquarters in an outer London suburb. He is suing NDS for wrongful interference, but at the moment has little recourse except to walk away from his own company.
“I don’t regret it,†said Kommerling. “Given the circumstances, it was the only way to go. When I have spent all of my money in legal costs, I’ll still have my integrity and skills and that’s the important thing.â€
Asked about Kommerling, NDS declined to comment.