Breaking the pay-TV code-breakers -Australian Financial Review


Breaking the pay-TV code-breakers


Apr 15


Neil Chenoweth


The real drama unfolded unnoticed on this happiest of days, half a world

away. It was March 27, 1999, and in Australia all eyes in the media were

focused on the Murdoch family property Cavan, near Canberra, where as rain

fell steadily, Lachlan Murdoch married Sarah O'Hare.


With Rupert and Anna Murdoch in the last throes of an acrimonious divorce,

most attention was on the awkward family groupings.


What no-one at Cavan knew was that, on the other side of the world in

British Columbia, where it was still March 26, a Canadian hacker called

Allen Menard was posting a computer file on his website,


Three years later that file, titled, is a $US3 billion ($5.6

million) headache for the Murdochs. The multibillion-dollar question is,

where did Menard get the file?


French media group Canal Plus says the answer lies somewhere in the records

of NDS Group, a technology outfit that must have one of the most colourful

and bizarre histories of any listed company.


On March 12 this year, three weeks after Lachlan joined his brother James

on the board of NDS (in which News Corp has a 78.8 per cent stake), Canal

Plus lodged a lawsuit against the company in the California District Court

seeking triple damages from losses of $US1 billion - all from that file on Al Menard's website.


NDS chief executive Abe Peled strenuously denies the Canal Plus claims.


"This is not the suit of a cheated business seeking protection from

piracy," NDS has told the court. "It is an attempt by an inept competitor

to shift the blame for its incompetence, to damage its skilled competitor

behind the shield of litigation privilege and to extract an unfair price in

merger negotiations."


In many ways NDS is an accident of history. It grew out of a crash program

in Israel to provide an encryption program for News Corp's Sky satellite

service in Britain.


In November 1988, five months after Rupert Murdoch had announced he was

launching a British satellite service called Sky, rival BSB Holdings ran a

full-page ad in the US magazine Variety urging studios not to sell movie

rights to Sky: "Dear Hollywood, don't let Rupert feed your product to the



Australian consultant Bruce Hundertmark convinced Murdoch to use an

unproved Israeli encryption company, News Datacom (later renamed NDS),

which Hundertmark had badgered Murdoch to set up nine months before, to

encrypt the Sky signal.


The technology worked, but by 1991 the company was headed in Israel by an

American-Israeli entrepreneur, Michael Clinger, who was a fugitive, on the

run from an arrest warrant in New York. News Corp eventually forced Clinger



In the mid-1990s, NDS ran into two problems. The first was that pirates had

cracked its smartcard code.


The NDS Videoguard system was based on an encryption algorithm developed by

Professor Adi Shamir, one of the fathers of modern-day cryptology. But

according to a former employee, for cost reasons the early cards did not

carry the entire algorithm. This oversight allowed British video pirates to

break the code. By 1994 there was a thriving piracy trade in counterfeit

BSkyB smartcards.


Soon after, in early 1995, NDS executives discovered they had a second

problem: Clinger, the man they thought they had got rid of in 1992, had

pulled off an international fraud that had cost NDS $US19 million.


News Corp launched a massive worldwide investigation into Clinger's

affairs, co-ordinated by British detective agency Argen Ltd and supervised

by News Corp legal counsel Arthur Siskind. In 1996 News sued Clinger.


The exchanges with Clinger became acrimonious. The court heard claims of

death threats.


Then in October 1996 Israeli tax officers raided the NDS offices in Israel,

acting on claims by Clinger that NDS was evading tax.


Five months later, Israeli police interrogated NDS chief executive Abe

Peled for 16 hours over tapes of bugged telephone conversations the tax

officers had found in his office.


Police also interrogated Reuven Hazak, the former deputy head of Shin Bet,

the Israeli internal security service, who ran a private detective agency

called Shaffron, which was working for NDS in the Clinger investigation.


No charges were laid and both men claimed Clinger had planted the tapes.


NDS later paid a $US3 million no-blame settlement to the tax men.


Hazak subsequently became security chief for NDS in Israel.


It was in 1996, when the investigation into Clinger was at its height and

News Corp had learned the advantages of covert intelligence, that NDS

quietly set up its own covert operation aimed at the pay-TV pirates.


Besides Hazak in Israel, NDS hired Chris Morris as US director of special

projects. Morris was a former army counter-intelligence officer who had run

sting operations in North America for General Instruments to jail cable-TV



In the UK, NDS later hired former Scotland Yard commander Ray Adams as

director of security for NDS in Britain, after he was cleared by two

inquiries into his links with criminal figures whom he had used as



There was a second, secret arm to the NDS strategy. It was to put a group

of hackers on the NDS payroll. It was known as the Swiss Cheese Group.


Apparently NDS believed in this way it could keep abreast of developments

in the hacking world. It also tapped the hackers' expertise to test its own

products, and those of its rivals.


Germany was the most fruitful recruiting ground, among hackers associated

with the Kaos Computer Club. NDS tried for two years to recruit its most

famous member, Boris F., a brilliant German hacker known as Tron.


In October 1998, F.'s body was found hanging from a tree in a Berlin

park, with both feet on the ground.


"We're always looking for excellent engineers, and we contacted him with a

view to employing him as a consultant," NDS spokesperson Margot Field told

The Guardian newspaper in December 1998.


Among F.'s papers, his father found an NDS invoice dated July 12,

1998, which read: "Hello Boris, here are the analog devices, good luck."


Police say many companies tried to recruit F. . They concluded he

committed suicide.


F. had published a paper about hacking, or reverse-engineering,

smartcards with Marcus Kuhn, a student at the University of Erlangen in

Germany (now at Cambridge), who ran a user group called TV-Crypt.


In 1999 Kuhn co-wrote with another young hacker, Oliver Kommerling, what

became one of the standard texts on how to reverse-engineer a

state-of-the-art smartcard, titled Design Principles for Tamper Resistant

Smartcards, using acid treatments, microscopic probes, laser cutting, ion

beam manipulation and other techniques.


Kommerling says he has worked as a consultant for NDS since mid-1996,

helping set up the NDS Matam Centre research facility in Haifa by early

1997, and recruiting and training all the Matam engineers.


Another NDS recruit in April 1996 was a young hacker living in Germany,

Christopher Tarnovsky.


The Australian Financial Review has located two 1995 postings to a UK

Internet bulletin board which are signed Christopher Tarnovsky. They have

an e-mail address from a US army base in Germany and ask for help hacking a

D2Mac encryption chip: "I own a copy of the Black Book and have

disassembled the code for dual & single chip but still am a little confused



Several hours later, he repeated the appeal: "Can anybody out there explain

the EuroCrypt M/S packet structure a little bit to me!??! I have the source

to single/dual chip version but the packets structure etc is still UNKNOWN!

... I have the Black Book. That's not enough though."


Another hacker who knew Tarnovsky through Kuhn's TV-Crypt user group and

ended up doing consulting work was Jan Saggiori, in Geneva. In 1996

Saggiori introduced Tarnovsky to a Canadian - Menard - who ran a piracy

website called DR7, and later to another Swiss-based hacker, Vesselin

Ivanon Nedeltchev, known as Vesco.


Saggiori says in his affidavit that he believed Vesco was working directly

for Reuven Hazak at NDS in Israel last year.


NDS found its biggest problem was in North America, where it provided

smartcards for DirecTV, the satellite broadcaster owned by General Motors.

NDS went hard after pay-TV pirates based in Canada.


Simultaneous raids by the Royal Canadian Mounted Police, US Customs and the

FBI in November 1996 saw 60 people arrested for video piracy, but

convictions were hard to come by. Canadian courts found it was not illegal

for Canadians to pirate the US DirecTV signal, which by law could not be

sold in Canada.


By 1998, DirecTV's problems with piracy were so severe that it issued a

formal notification to NDS that it was reconsidering its encryption system

and examining its rival, NagraStar, owned by the Swiss Kudelski group, used

by Echostar.


At that time Nagra was also hit by a wave of piracy. The hacking community

is full of finger pointing, and Nagra was told by some dealers that NDS had

released Nagra's source code, which was published on Tarnovsky,

who now lived in California, and his friend Menard fell under suspicion.


Last May Echostar security officers used an associate of Menard's, Sean

Quinn, to meet Menard in a hotel room in Vancouver, where they urged him to

become a witness against NDS and Tarnovsky.


But Menard vigorously denied that Tarnovsky had provided him with Nagra

code. No further action was taken.


Friction also arose in Britain, with internet speculation that NDS was

linked to a piracy site,, also known as the House Of Ill Compute,

which helped hackers make counterfeit smartcards for ITV Digital, a rival

of BSkyB which uses the Canal Plus system.


NDS has confirmed that UK security chief Adams paid several thousand pounds

into the personal bank account of the man who ran the site. Adams says he

was not aware the Canal Plus software codes were on the site.


Meanwhile, Canal Plus Technologies was also investigating how pirates had

been able to flood the market in Italy with counterfeit smartcards in late

1999. By mid-2001 Canal Plus's head of security, Gilles Kaehlin, believed

he had tracked the leak down to a file posted on DR7 on March 26, 1999.


Earlier that month, Rupert Murdoch had met Jean-Marie Messier of Vivendi

Universal, the controlling shareholder in Canal Plus. But talks to merge

BSkyB with Canal Plus had broken down.


News had been planning to invest in Italian pay-TV operation Stream SpA.

Vivendi had been anxious that News stay out of Italy, to avoid competition

with the Canal Plus pay-TV arm, Telepiu.


In an affidavit filed in the Canal Plus court case, Kommerling, who now

runs a security consultancy called ADSR, which is 40 per cent owned by NDS,

said in early 1999 he was given a copy of a written summary of the Canal

Plus code which had been extracted from a Canal Plus smartcard by the NDS

laboratory in Haifa.


He later recognised the code file posted on the DR7 site as the same file.

NDS employees told him the file had been supplied to DR7.


The file was posted on DR7 with a Readme text file which said in part,

"This file has been downloaded from ... We ask for nothing in

return but a simple acknowledgment and thanks and those who redistribute as

their own without reference to the source are true losers."


In a second affidavit, Saggiori said when he downloaded the code from DR7

that weekend, part of the code was lost in the transfer. He asked Tarnovsky

if he could obtain the missing file from Menard at DR7.


Saggiori's affidavit includes a printout of an e-mail which he says

Tarnovsky sent him with the missing binary file on March 28 as an

attachment. It read: "Good news from up north here. Enjoy, keep for you

please ... extremely top secret!"


By the middle of last year, Canal Plus says it had narrowed the source of

its pirated smartcards to the DR7 file, but didn't know how it got there,

when Kaehlin, the Canal Plus security chief, met Tarnovsky in London on

August 15. On October 5 Kaehlin flew to California to meet Tarnovsky at his

home in Carlsbad.


In his affidavit filed in the Californian District Court, Kaehlin said

Tarnovsky spoke of leaving NDS, but said it would be "extremely difficult

for him to leave NDS because he was afraid of certain NDS employees".


However, in what Kaehlin says was a "non-verbal method of communication",

Tarnovsky said NDS was responsible for the publication of the Canal Plus

code and that the code had been sent to him by Reuven Hazak via John



Kaehlin says in his affidavit that he met Tarnovsky again in Santa Monica

on December 16, when Tarnovsky told him "he would tell the truth to the

court if he were called to testify but that he would not be the

whistleblower on NDS illegal activities, because he feared too much for his

life and that of his family".


In early January 2002, Tarnovsky sent Kaehlin a brief e-mail saying he did

not want to talk to him any more.


Norris in his affidavit says he has never had possession of a file titled, and denies all of the Canal Plus claims. He says Tarnovsky

also denied to him that he had supplied the file to DR7.


NDS chief executive Abe Peled also denies the claims and links the lawsuit

to an attempt to extort a higher price in talks to merge Canal Plus

Technologies and NDS.


The colourful claims by Canal Plus are yet to be tested in court by

cross-examination by the NDS lawyers. Even if Tarnovsky did supply code to

DR7, which is yet to be proved, the Canal Plus case must prove that he was

instructed to do so by NDS management. Otherwise he would be just another

rogue employee.


The case returns to court on Thursday.