Murdoch’s inside job

.

by Neil Chenoweth

It was a game, and they played it across continents.

From Latin America, the United States and Canada, across Europe and Asia down to Australia and New Zealand. In every country, in every market, it was game on.

They were on a mission and they had no rules – or rather, no one to call them to account.

They were undercover. They would use funny code names and false money trails, secret informants, “honey pots” and deep cover agents.

They spoke of “burning” the people they targeted. They called them “flammable”.

They had scorn for everybody who stood in their way and they expressed that scorn freely in encrypted emails to each other, secure that no one from outside their tight group would ever read them

There was no moral quality to doing this; it was a necessary part of the operation. It was part of the business.

And what was that business?

“It’s not terrorism, it’s not suicide bombing, it’s not weapons of mass destruction,” says Jan Saggiori, a Swiss-Italian hacker who became a target of the underground operatives. “It’s pay television.”

And that raises the billion-dollar question in the global media storm that has engulfed Rupert Murdoch’s media empire after revelations on Wednesday that a secret unit called Operational Security had promoted piracy of News’s pay TV competitors across the world.

News Corporation is one of the most dynamic, creative and powerful media groups in the world. It employs tens of thousands of gifted, committed professionals whose work is groundbreaking, and often inspiring.

How did a global media giant become involved in a high-tech spying scandal?

In 1999, the year James Cameron was winning Oscars for Titanic, which made so much money for News, how did the Murdoch empire come to be running a private security force with an annual budget between $5 million and $10 million?

At the heart of the drama that is playing out is the modern world’s desperate need for security.

Our bank accounts, our personal details, our communications – a great part of our life, is stored as data. To protect it, the data must be encrypted, often with microchips mounted on smartcards. Our secrets must be safe.

That’s why the figure of the hacker is so threatening. Whether it is Julian Assange or online groups such as Anonymous of Lulzsec, the appearance of the hacker is the signal for deployment of investigators, of security firms, specialist police units and intelligence agencies.

But what happens when it isn’t a government calling in the spooks? What happens when it is a company that goes into the intelligence business?

The short answer is that hiring former spies and intelligence officers changes the culture of a corporation.

And that’s what seemed to happen at News Corporation and its problem child, NDS.

The chain of events is dramatically illustrated in an archive of emails that came from the computer hard drive of a senior NDS executive. The Financial Review  has obtained 14,400 of the emails, many of which have been published through our website afr.com.

The development within NDS parallels the way excessive use of private investigators changed the culture of the newspapers at News International that used them, the News of the World  and The Sun.

NDS was an accident of history. In February 1998 an Australian technology consultant, Bruce Hundertmark, badgered Murdoch into shelling out $3.6 million to found a start-up company in Israel called News Datacom Research, based on encryption technology developed by the Weizmann Institute, which took a 20 per cent stake. (The details of the early history are airbrushed out of many accounts).

Seven months later, after blithely deciding to launch Sky Television in the UK, Murdoch realised that he needed to encrypt the broadcast stream.

It’s called conditional access. You can access the programming and watch the moving pictures only on the condition you have paid for it. Otherwise pay TV companies would go broke.

A handful of technology companies around the world provide conditional access services – including Nagra in Switzerland, Viaccess and Canal Plus Technologies in France (later sold to Nagra) and Irdeto in South Africa and the Netherlands. They all use smartcards with microchips on them that are inserted into the set-top box to decrypt the pay television signal – and they are the heart of any pay TV system. They provide the customer management base as well as the platform to offer interactive services.

But the microchips on the smartcards can be hacked and the source codes to the chips exposed.

In 1988 Murdoch turned to NDS to develop his own conditional access system for Sky.

He was so taken with NDS technology that in 2002 when General Motors was planning to launch a US satellite operation called DirecTV, he intervened to persuade them to use NDS to safeguard their broadcast.

And in 1997, when Murdoch agreed to merge his US satellite interests with the other big satellite broadcaster, EchoStar, run by Charlie Ergen, he walked away from the deal when Ergen refused to replace the Nagra smartcards Echostar used with NDS cards.

Ergen said the NDS cards weren’t safe. In his office in Denver, Colorado, he pulled out some pirate cards for DirecTV and put them into his system to show Murdoch how comprehensively the NDS cards had been broken.

That’s the problem with smartcards. The microchips on the card can be hacked, and the secret codes that operate the cards exposed. Once this happens, pirate cards can be made that mimic the real cards and switch on the programming without payment, draining the broadcasters’ revenue.

It’s huge business. Some estimates put the number of pirate cards for DirecTV by 2000 at close to 1 million. If true, that was $500 million of revenue DirecTV wasn’t earning – and tens of millions of dollars that pirates were.

But it wasn’t piracy that introduced Murdoch to the world of spies and intelligence. It was a fraud that a former chief executive of NDS, Michael Clinger, was still running on NDS years after he had been forced out.

Amazingly, Clinger had run NDS from 1990 to late 1991 despite having a US arrest warrant outstanding against him for stock fraud.

News Corp general counsel Arthur Siskind hired Reuven Hasak, a former deputy head of Israel’s domestic secret service, Shin Bet, to run the investigation in 1995.

Hasak made short shrift of Clinger, and NDS chief executive Abe Peled then hired Hasak full time to set up a special unit called Operational Security to fight piracy of NDS smartcards used by BSkyB in Britain, DirecTV in the US and Foxtel in Australia.

To head Op Sec in Europe, Hasak hired Ray Adams, a highly decorated but controversial former police commander who had run the Metropolitan Police’s S11 criminal intelligence unit.

In the US, Hasak hired John Norris, who had been a US Army captain in intelligence during the Vietnam War and had close links with the US Secret Service. Adams and Norris worked with the FBI, the US Secret Service, US Customs and the Royal Canadian Mounted Police as well as police forces and anti-piracy groups across Europe to target the hackers and dealers who produced the pirate cards.

They instigated hundreds of raids on suspected pirates and forged an impressive reputation as a tough enforcement arm. But piracy persisted, particularly in North America.

Hasak’s people were not just on good terms with law enforcement agencies. Adams’s UK Operational Security team even had a special line item for police. It was Code 880110 and appears in a string of NDS departmental budgets.

On June 9, 2000, Adams’s deputy Len Withall, another former policeman, asked for a £2000 cheque to be made out to Surrey Police, drawn on Code 880110, which he explained was “an amount of money set aside for payment to police/informants for assistance given to us in our work”.

Adams was more explicit on October 9, 2001, when he explained Code 880110 to NDS accountant Greg Gormley, who was looking for budget cuts: “This is a contingency sum for police informants. No claims so far. May be none this year.”

That proved optimistic, as a month later, on November 13, 2001, Withall told an NDS accountant he needed £1000 cash. It should be charged against Code 880110, which he said was “used for payment to some informants not covered under our normal payment system”.

Who was Withall going to pay, using the “contingency sum for police informants”, and why did it have to be in cash?

These payments raise serious questions, beginning with how a major division in News Corp had a line item in its budgets which on Adams’s description at least, was to be paid to police informants?

How is such a line item discussed at the annual budget planning sessions? At the least, whatever use the money was intended for – and it may well have been innocuous – including it as a line item embeds it in the corporate culture. Adams may have used his police contacts when he was able to obtain mobile telephone records for a person suspected of involvement in pay TV piracy in Canada. He also appears to have tried to obtain telephone records for an Australian hacker, David Cottle, known as Bond 007.

The Operational Security chief in Asia, Avigail Gutman, was closely monitoring Cottle, supplying him with blank smartcards to aid his piracy of Austar and Foxtel while dissuading rival Irdeto security from moving against him.

NDS vehemently denies it has ever been involved in piracy.

“The sources of accusations that NDS participated in piracy of competitor conditional-access systems have been repeatedly discredited,” a spokesman told the Financial Review.

“The United States Department of Justice, a federal court jury, a federal trial court and a federal appellate court all rejected allegations that NDS is responsible for TV piracy.”

Given the close ties Operational Security had to law enforcement, how did the piracy allegations arise?

There was a second arm to the Operational Security strategy. In addition to chasing pirates, Hasak’s “Black Hat” team set out to recruit top hackers, turning them first into informants and then using their expertise to learn how to reverse engineer or deconstruct the smartcards of their rivals.

German master hacker Oliver Kömmerling set up a laboratory in Haifa and trained NDS staff to use micro probes, optical microscopes, micro-laser cutters and a focused ion beam machine to peel away the microchips used by rival companies in their smartcards – the Seca card produced by Canal Plus in France, the Nagra card used by US satellite broadcaster Echostar, the South African-Dutch Irdeto card and the Viaccess card by France Telecom.

The process on the Nagra card was completed in October 1998 – and within days, part of the same code was published on a piracy site called DR7.com run by a Canadian called Al Menard

On March 26, 1999, the ROM source code for the Seca card by Canal Plus was also posted on DR7. Suspicion fell on Chris Tarnovsky, an American hacker employed by NDS who was a close friend of Menard.

Kömmerling in Germany saw the DR7 ROM file and realised the Seca file had the same time and date stamp – 4pm on July 6, 1998 – as the ROM file that the NDS Black Hat team had created the previous summer.

The odds against two different files being saved at the same minute in a year are 500,000 to one.

It was the same file. NDS contests this, pointing out that it’s possible to change a time stamp on a computer file artificially. But if someone fabricated the time stamp to frame NDS, how did they know what the time stamp needed to be, unless they had seen the NDS file?

It was a forensic fingerprint that tied the file posted on DR7 to NDS.

But how did the NDS file get to DR7? Suspicion fell on Tarnovsky.

Kömmerling says that Tarnovsky later told him he had been given the Seca ROM file and when he asked what to do with it, an NDS executive had indicated by a facial gesture that he should release it on the internet. Tarnovsky denies having posted the file.

Two days after the Seca ROM file appeared on DR7, Saggiori, phoned Tarnovsky, who was a close friend, and asked if he could help supply a part of the Seca ROM that had not been included in the file on DR7.

“[Chris] told me he was not able to have the Canal Plus ROM 2000 address because that part had been lost during extraction of the code,” Saggiori testified in a US court in 2008. But Tarnovsky had the ROM code for the Nagra card, which he offered to send to Saggiroi. Both cards were built on an ST Thomson microprocessor, and Tarnovsky incorrectly believed they shared the same system ROM codes.

Tarnovsky sent the Nagra code to Saggiori as an attachment to an email with the PGP encryption system. This locked the file with a date and time. It could be unlocked only by Saggiori’s private key.

This was forensic evidence that linked Tarnovsky and NDS to the release of part of the underlying code for the ST Thomson chip used by Nagra.

At the 2008 trial, an NDS independent expert examined the encrypted file but made no submission to challenge its authenticity. Tarnovsky denied having sent the email to Saggiori, and said he would not have used the high level of encryption in the attachment because it was illegal in the US at the time.

Six months later Saggiori wrote a report that ended up in the hands of Gilles Kaehlin, the head of security at Canal Plus. He opened an inquiry that led to Canal Plus suing NDS for $1 billion in damages, in March 2002.

Oliver Kömmerling became a surprise witness for Canal Plus. Adams lost his job, and in the process the hard drive of his laptop, with thousands of revealing emails, was reported stolen.

Only days before, OnDigital, the fledgling pay TV rival to BSkyB in Britain which used the widely pirated Seca card, had collapsed owing £1 billion.

In 2000, DirecTV had sued NDS for piracy-related behaviour, but the case was settled. DirecTV insisted Tarnovsky had no further contact with its smartcards.

It now sought to reopen the case in light of the Canal Plus allegations, citing actions by Kömmerling. A US Attorney in San Diego convened a grand jury to investigate NDS, and other satellite broadcasters – Echostar in the US, Sogecable in Spain and MEASAT in Malaysia – applied to join to the Canal Plus action.

In June 2001, with the Vivendi/Canal Plus empire days away from collapse, Murdoch agreed to buy its Telepiu pay TV arm in Italy, which he merged with Stream to form Sky Italia.

A condition of the deal was that Canal Plus buried the NDS lawsuit. It became a race for time to see whether Echostar, Sogecable and MEASAT could gain access to the Canal Plus documentation before the Telepiu deal closed in April 2003.

The window closed. MEASAT walked away when the Canal Plus case closed. Sogecable and EchoStar had to launch new lawsuits. But the delay in trying to join Canal Plus meant most of the events that formed the basis of their cases were now beyond the statute of limitations.

DirecTV dropped its NDS lawsuit after News acquired control of the broadcaster in 2003.

The grand jury investigation was transferred to Los Angeles, where a new deputy US Attorney found NDS had no case to answer.

EchoStar soldiered on, going to trial with a drastically restricted case in 2008.

NDS applied to call the deputy US Attorney as a witness, but the judge ruled against NDS over questions of whether News had helped him get a job at the Motion Picture Association.

The jury decided in EchoStar’s favour on three of the six counts, but awarded negligible damages.

The trial judge awarded split costs with $5 million in EchoStar’s favour. This was overturned by the appeals court.

“Just this week, EchoStar realised the cost of making these futile and damaging allegations against NDS when it paid approximately $19 million to NDS,” an NDS spokesman told the Financial Review  during the week.

NDS has been sued by five of the largest satellite broadcasters in the world, each of which was seeking damages of about $1 billion, after paying estimated legal costs of some $80 million.

NDS has emerged unscathed and undaunted. It prefers to focus on its successful sale to Cisco, the spokesman said.

How much are the NDS secrets worth? The two-part sale of NDS that began in 2008 has shown that encryption is a goldmine.

The total payout was $5.7 billion.