国外的黑锅工程师_stereohomology的博客-程序员宅基地

技术标签: security  extension  access  returning  report  学习学习  network  

From the Eye of a Legal Storm, Murdoch's Satellite-TV Hacker Tells All

By Kim Zetter Email 05.30.08
 
Christopher Tarnovsky shows Wired.com the tricks behind smart-card hacking.
Steve Raines/Wired.com

SAN DIEGO -- Christopher Tarnovsky feels vindicated. The software engineer and former satellite-TV pirate has been on the hot seat for five years, accused of helping his former employer, a Rupert Murdoch company, sabotage a rival to gain the top spot in the global pay-TV wars.

But two weeks ago a jury in the civil lawsuit against that employer, NDS Group, largely cleared the company -- and by extension Tarnovsky -- of piracy, finding NDS guilty of only a single incident of stealing satellite signals, for which Dish was awarded $1,500 in damages.

"I knew this was going to come," Tarnovsky says. "They didn't have any proof or evidence."

The trial was years in the making, yet raised more questions than it answered. It came down to testimony between admitted pirates on both sides who accused each other of lying. Now that it's over Tarnovsky, who was fired by NDS last year, is eager to tell his side of the story.

Dressed in loose jeans, flip-flops and a T-shirt, Tarnovsky, 37, spoke with Wired.com by phone and in an air-conditioned lab in Southern California where he's been running a consultancy since losing his job. Surrounded by boxes of smart cards and thousands of dollars worth of microscopes and computers used for researching chips, he talked excitedly at lightning speed about his strange journey, which began in a top-secret Pentagon communications center, and ended with him working both sides of a heated electronic war over pay TV.

Satellite-TV hacker Chris Tarnovsky opens his laboratory to Threat Level reporter Kim Zetter, providing a unprecedented peek into the world of smart-card hacking.
Editor: Annaliza Savage, Camera: Steve Raines
For more, visit wired.com/video.

His story sheds new light on the murky, morally ambiguous world of international satellite pirates and those who do battle with them.

The stakes are high: Earnings in the satellite-TV industry reach the billions. In the first quarter of this year alone, U.S. market leader DirecTV announced revenue of $4.6 billion from more than 17 million U.S. subscribers. Dish Network earned $2.8 billion from nearly 14 million subscribers. Although satellite piracy has greatly diminished from its peak seven to 10 years ago when the events detailed in the civil lawsuit took place, the two companies lost millions in potential revenue, and spent millions more to replace insecure smart cards used in their systems and track down dealers selling pirated smart cards.

Those smart cards are at the center of the controversy over NDS, a British-Israeli company and a majority-owned subsidiary of Murdoch's News Corp. The company makes access cards used by pay-TV systems, most prominently DirecTV -- itself a former Murdoch company. Nagrastar, a plaintiff in the case and NDS's chief competitor, makes access cards used by Dish Network and other runners-up in the market.

According to allegations in the lawsuit, in the late '90s NDS extracted and cracked the proprietary code used in Nagrastar's cards, a fact that NDS doesn't contest. What happened next, though, is hotly disputed. Nagrastar says Tarnovsky used the code to create a device for reprogramming Nagrastar cards into pirate cards, and gave the cards to pirates eager to steal Dish Network's programming. Tarnovsky was also accused of posting to the internet a detailed road map for hacking Nagrastar's cards.

Nagrastar says NDS had an obvious motive for these antics: Their own chip, the so-called P1 or "F Card," had already been thoroughly cracked by pirates, and the company wanted to level the playing field with its competitors.

NDS denied the allegations at trial. The company declined to comment for this article or to confirm details of Tarnovsky's employment other than to say it was pleased that the verdict "ended in a resounding affirmation of NDS and its business ethics and proper conduct."

Tarnovsky began his pirating career in the '90s while serving in the U.S. Army. He had a top-secret SCI security clearance working on cryptographic computers in Belgium for NATO headquarters, and spent a year at Ft. Detrick in Maryland providing support to the National Security Agency for satellite transmissions to Europe.

In 1996, he was stationed in Germany when his colonel sold him a used satellite-TV system, along with two pirated access cards, neither of which worked. Tarnovsky began posting on online pirate forums, and developed contacts in the community, ultimately learning how to fix the cards to access English-language programs from Sky in the United Kingdom.

After leaving the Army and returning to the States, he got a call from Ron Ereiser, a Canadian pirate who'd heard about him through the grapevine. Pirates had found a back door in the P1 card and were vigorously exploiting it to get DirecTV content. But the cards kept failing. In a game of pirate pingpong, DirecTV periodically deployed electronic countermeasures, or ECMs, in the satellite stream that killed the cards in their set-top boxes. Ereiser needed someone to fix the cards.

There was serious black-market money on the line. In Canada, where pirating of U.S. satellite services wasn't considered illegal until 2002, syndicates of dealers did enough business that they could afford to chip in about $50,000 to hire a programmer to reverse engineer the latest cards. Pirate cards would sell for about $200 each, with the profit split between the investors and engineers. Tarnovsky claims Canadian pirate dealers could make $400,000 in a weekend; when Reginald Scullion, a notorious pirate in Canada, was raided in 1998, authorities seized $5.5 million from his bank accounts and safe-deposit boxes, though not all of it was from piracy.

Ereiser, who now works as a consultant to Nagrastar, concedes that the money from piracy was good, but insists that nobody became an overnight millionaire. "It was lucrative," he said in a telephone interview. "But to suggest that millions were being made in a month is an absolute crock."

DirecTV's countermeasures were a nagging drag on this lucrative trade. Every time an ECM was deployed, Ereiser and other dealers would be harangued by customers demanding to have the cards fixed and their TV programs restored.

Tarnovsky, who was known online as "Big Gun," says Ereiser offered him $20,000 to fix cards that were killed by ECMs, and he agreed. Each time NDS created a countermeasure, Tarnovsky would analyze the code and find a way to circumvent the countermeasure. He did it while working full-time as a software engineer for a semiconductor company in Massachusetts.

"I'd be at work and I'd check the IRC (channel) to see if they'd launched their Thursday countermeasure yet," he says. "It was like a chess game for me. I couldn't wait for them to do a countermeasure because I would counter it in minutes."

Tarnovsky suffers from attention deficit hyperactivity disorder, which he says helped with the detailed work.

"I think so fast," he says.

It wasn't long before NDS came courting. Tarnovsky had a contact at the company to whom he'd begun passing information about holes in its software, even supplying patches to fix them. NDS offered him a job earning $65,000 a year. By the time the company fired him last year, he was earning about $245,000 in salary and bonuses and had another $100,000 in stock options, he says.

The company set him up in a lab in Southern California equipped with a computer, some DirecTV set-top boxes, sample DirecTV cards and NDS source code. There was no fancy equipment at first, but his relationship with NDS and the lab grew over the decade he worked with them. Tarnovsky says the job was a dream come true. While living in Europe he'd once seen a news report showing an engineer at a French satellite company writing countermeasures, sitting in a lab with smart cards piled around him on his desk.

"I always thought it would be so cool to be that guy," Tarnovsky says. "Finally I got the chance."

Tarnovsky had two roles at NDS -- to find holes in its software and work undercover with pirates to discover what they were doing against NDS technology.

To conceal his relationship with NDS from pirates, few people at the company knew his identity. He used the name "Michael George" and for the first four years was paid through other companies, including, for about five months, HarperCollins, the Murdoch-owned book publisher.

"It was very hush-hush, because we didn't know who could be an inside informant," he says.

Part of his job was developing ECMs for NDS. He'd examine pirate NDS cards to determine how they worked, then send instructions to engineers in Israel to create a kill for them.

"I didn’t actually load the gun and pull the trigger but I got to make the bullet," Tarnovsky says.

Among the countermeasures he says he created was one known among pirates as the "Black Sunday" kill -- an elaborate scheme that destroyed tens of thousands of pirate DirecTV cards a week before Super Bowl Sunday in 2001.

Instead of being delivered all at once like other measures, the Black Sunday attack code was sent to pirate cards in about five dozen parts over the course of two months, like a tank transported piece by piece to a battlefield to be assembled in the field. "They never expected us to do this," Tarnovsky says.

The kill didn't last long before pirates found a way to jump-start the cards. But it holds an enduring position in pirate lore; for the first time, they could see a cunning mind at work on the other side.

While Tarnovsky was killing cards, however, he was also helping pirates fix them.

Days before Tarnovsky began working for NDS, the company began phasing in its latest-generation smart card, the P2, which was thought to be virtually uncrackable. But word reached the company that two Bulgarian hackers working for Ereiser had cracked the P2. On NDS's instructions, Tarnovsky met with Ereiser undercover in Calgary to get the code. When he got there, Ereiser offered him $20,000 to work for him fighting whatever countermeasures NDS and DirecTV cooked up to thwart their P2 hack.

NDS considered it a great opportunity for Tarnovsky to maintain his pirate identity, but DirecTV insisted on some controls. Under "Operation Johnny Walker," as they dubbed it, Tarnovsky gave Ereiser a program to create pirate NDS cards, but encrypted it so no one could copy it. The program worked only with a dongle attached to Ereiser's computer and created a limited number of cards that could be killed at any time.

But, according to Nagrastar, Tarnovsky wasn't just helping NDS fight piracy by working undercover and creating ECMs, he was also committing piracy against NDS's competitors to weaken their place in the market.

After NDS engineers in Israel hacked the Nagrastar code in the late '90s, Nagrastar says Tarnovsky created a "stinger" program that turned Nagrastar cards into pirate cards. He allegedly gave the program to a Canadian named Al Menard in 1999 who sold reprogrammed Nagrastar cards for $350 each. Then in December 2000, someone anonymously posted code and detailed instructions for hacking Nagrastar's card to two websites, one of them run by Menard, exposing Dish Network to even more piracy. It was estimated in court testimony that between 100,000 and 165,000 pirated Nagrastar cards were released to the market in the wake of this posting.

Nagrastar says Menard began sending Tarnovsky cash from the sale of the pirate cards. At the end of August 2000, authorities acting on an anonymous tip seized two boxes destined for a mail drop Tarnovsky rented in Texas. Inside, they found a CD and DVD player with $20,000 and $20,100 concealed inside.

The boxes were sent from a phony address for "Regency Audio" in Vancouver to C.T. Electronics at Tarnovsky's address. A customs form for a third package that wasn't seized indicated that it was sent from Menard to Tarnovsky and also contained electronic goods.

Tarnovsky was in Israel at the time, and says he didn't know anything about the packages until he was notified that they'd been seized. He thinks they were sent by someone in Nagrastar's camp who was trying to frame him. He says Nagrastar's accusations about the "stinger" program were baseless, and that he never gave Menard any software.

On Feb. 9, 2001, U.S. Customs agents appeared at his doorstep. On advice of a lawyer, he declined to let them search his house without a warrant. Tarnovsky was never arrested or charged with any crime, but suspicions against him were mounting. NDS gave Tarnovsky a polygraph test, but asked only two, self-interested questions that never touched on the Nagrastar accusations: Had Tarnovsky sold any modified NDS smart cards, or company secrets, since he'd been working for the company? Tarnovsky answered no, and passed the test.

He continued to work for NDS for six years. But then last year, Nagrastar confronted NDS with a sheriff's report showing that fingerprints lifted from the seized electronics equipment sent to Tarnovsky's Texas mail drop belonged to an associate of Menard, raising suspicions again that Tarnovsky might have sold pirate Nagrastar cards without NDS's knowledge. NDS fired him.

Tarnovsky says his termination proves he and NDS weren't conspiring against Nagrastar. Had they been, NDS would have done anything to keep him happy, and quiet. He says the fact that Nagrastar lost the case shows he wasn't pirating on his own either.

"I've never sold a single Nagra card, ever," he says.

Although he was angry at NDS for abandoning him, he told Wired.com before the trial ended that he hoped to work for the company again.

"I want to make sure that NDS wins this lawsuit because that will clear my name," he said at the time.

When it was suggested that someone might view this as motivation for him to lie on NDS's behalf, he disagreed.

"That's crazy. I could go to jail," he said. "I would never perjure myself for some company."

Since NDS fired him he's been consulting for two semiconductor companies and a manufacturer of dongle tokens, but he misses his life in electronic warfare. If NDS doesn't want him, he says he'd be happy to work for Nagrastar -- jumping sides once again.

"I could design a whole entire chip for them like I did for NDS," he says. "NDS thinks today that their technology is superior to everybody else's and it probably is, because they're 17 years ahead of Nagra technologically. But Nagra could catch up overnight if they used my services.

"I'm a very valuable asset as far as smart-card technology goes," he adds. "I know everything about (NDS) as far as their intellectual property models go."

He offered his services to the company last year, while the lawsuit was pending. Nagrastar declined.

版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/stereohomology/article/details/5146020

智能推荐

python基础 · os函数_万物皆可爬的博客-程序员宅基地

import os1.rename文件从重命名第一个参数是原文件名,第二个参数是新文件名。os.rename('file/a.txt','aa.txt')2.remove删除文件os.remove('file/file02')3.创建目录(只能创建一层目录)os.mkdir('file02')4.创建多层目录os.makedirs('file04/file05',exis...

win10电脑显示 “您的账户已被停用。请向系统管理员咨询”,如何启动账号?_luzi0206的博客-程序员宅基地_win10你的账户已被停用请向管理员咨询

电脑显示 “您的账户已被停用。请向系统管理员咨询”出现这种情况主要是Administrator帐户被禁用,被禁用的原因主要是用户对系统设置过程中不小心将Administrator属性里的“帐户已禁用”进行勾选,如图1。这时候我们可以按照以下方式来解除。 图1第一步:在登录界面(图2)按shift按键,多按几次或者长按,出现黑窗口(图3)。(如果出现不了,就不用看后面了)

HDU 2586 How far away LCA 倍增法_cjj490168650的博客-程序员宅基地

倍增法求lca,关键就是在于预处理。如果说题的数据太水,有时候暴力反而更快……(此题倍增法我用了78ms,当年暴力62ms...)

flask项目端口设置无效_Jenrey的博客-程序员宅基地_flask修改端口无效

程序设置(该方法无效):解决方法:右上角打开 "Edit Configurations" ,在Additional Options处设置启动参数删掉之前在run方法中设置的参数,再次运行OKpycharm开发flask指定ip、端口无效(已解决,看着一篇就够了)...

C++/MFC下获取控制其它进程的菜单Menu和如何使用SPY++获取菜单ID的方法_DB伟的博客-程序员宅基地_c++中menu

在本方法中控制其它应用进程菜单项的2个基本条件:1)得到应用的主窗口句柄(HWND);2)得到菜单子项ID;1.获取一个应用的菜单子项ID: 在本方法中获取菜单子项ID需要借助工具SPY++,通过SPY++监听该应用对应的消息,人工点击菜单后看点击菜单时,观察监听得到的ID值,得到监听到的ID后定义在自己所写的程序中即可;1.1 SPY++的消息赛选: ...

内存取证-volattlity__abcdef的博客-程序员宅基地_内存取证

Volatility是开源的Windows,Linux,MaC,Android的内存取证分析工具,由python编写成,命令行操作,支持各种操作系统。项目地址:https://code.google.com/archive/p/volatility/安装:kali-bt5自带此工具$ apt-get install subversion-tools$ svn checkout http://volatility.googlecode.com/svn/trunk/ /usr/local/src/v

随便推点

北京交通大学计算机学院复试名单,北京交通大学计算机与信息技术学院考研复试分数线复试通知复试名单..._Easonxxy 的博客-程序员宅基地

北京交通大学计算机与信息技术学院考研复试分数线复试通知复试名单北京交通大学计算机与信息技术学院考研复试分数线复试通知复试名单1、考生进入复试的分数和调剂的基本要求:根据教育部《2014年全国硕士研究生入学考试考生进入复试分数基本要求》,以及本院生源情况,确定2014年计算机学院研究生复试分数线及要求如下。2014年计算机学院研究生复试分数线及要求专业名称信号与信息处理信息安全模式识别与智能系统生物...

Freemarker_Mr_韩的博客-程序员宅基地

Freemarker  主要用于生成静态页面,而且还可以用于生成XML,JSP或Java 等。Freemarker中的核心接口是:Configuration(freemarker.template包下的);Freemarker定位模板文件的类:Template(freemarker.template包下的);    模板位置 ,代码如下:         freeMar

iOS将字符串转换为日期时间格式_chenzhao931885867的博客-程序员宅基地

IOS将字符串转换为日期时间格式   1、如何如何将一个字符串如“ 20110826134106”装化为任意的日期时间格式,下面列举两种类型:   NSString* string = @"20110826134106";    NSDateFormatter *inputFormatter = [[[NSDateFormatter alloc] init] autorelea

非常经典的asp.net验证码制作实例代码详解_南三方的博客-程序员宅基地

一、ASP.Net的验证码的作用对于一个预防攻击的web表单来讲,验证码通常是一个常见的措施。因为如果对于一些public区域的页面内容来讲,譬如一个登录表单,如果没有必要的安全措施,很可能遭到模拟登录的暴力破解攻击,要么轻易获得特定账户的登录信息,要么给服务器增加了大量的负荷,影响正常的服务。解决的办法,一般就是在登录前给出一个随机的信息(验证码),显示在页面上,让用户填写,以确保用户是通过we

appium第二章:元素定位_Jacyow的博客-程序员宅基地

appium第二章:元素定位章节概要Uiautomator工具的使用一、id定位二、name定位三、classname定位四、相对定位五、xpath定位六、List定位章节概要app自动化测试过程中最重要一个环节就是元素定位,只有准确定位到了元素才能进行相关元素的操作,如输入、点击、拖拽、滑动等。appium提供了许多元素定位的方法,如id定位、name定位、class定位、层级定位等等… 接...

SpringCloud Eureka源码分析_代码兄弟的博客-程序员宅基地

Eureka核心功能点服务注册(register):Eureka Client会通过发送REST请求的方式向Eureka Server注册自己的服务,提供自身的元数 据,比如ip地址、端口、运行状况指标的url、主页地址等信息。Eureka Server接收到注册请求后,就会把这些元数 据信息存储在一个双层的Map中。服务续约(renew):在服务注册后,Eureka Client会维护一个心跳来持续通知Eureka Server,说明服务一直处于可 用状态,防止被剔除。Eureka Clie.

推荐文章

热门文章

相关标签