Satellite TV Hacker Tells His Story

Wired is running a story about Christopher Tarnovsky, the man who was accused of working for NDS, a company owned by Rupert Murdoch's News Corp., to sabotage a competitor's satellite TV system. Wired had a chance to speak with Tarnovsky and get his description of how the smart-card hacking war developed. Quoting: "Tarnovsky, who was known online as 'Big Gun,' says Ereiser offered him $20,000 to fix cards that were killed by ECMs, and he agreed. Each time NDS created a countermeasure, Tarnovsky would analyze the code and find a way to circumvent the countermeasure. He did it while working full-time as a software engineer for a semiconductor company in Massachusetts. 'I'd be at work and I'd check the IRC (channel) to see if they'd launched their Thursday countermeasure yet,' he says. 'It was like a chess game for me. I couldn't wait for them to do a countermeasure because I would counter it in minutes.' It wasn't long before NDS came courting. Tarnovsky had a contact at the company to whom he'd begun passing information about holes in its software, even supplying patches to fix them."

Who wants to track down which company

[Anonymous Coward]

He did it while working full-time as a software engineer for a semiconductor company in Massachusetts.

Who wants to track down which company that is? I'm surprised there's even one semiconductor company in Massachusetts (it's about as far away as you can get from the tech centers in the US), so it shouldn't be that hard to figure out.

Other uses for his techniques?

[Doppler00]

Wow, can we get this guy to decode some of the Bluray keys used? Break HDCP? His method is pretty straight forward, easy to follow, and looks fool proof. Expose layers in the chip and read the data directly. I don't see how manufactures can stop this. As long as the key is physically somewhere in the hardware, it should be possible to access it. I guess the reason this isn't done more often is because of the expense of the high powered microscope, toxic chemicals, and fume hood.

Re:Motivation

[Ethanol-fueled]

This arms race deserves some indirect praise. It's like an creationist debating with an atheist on philosophical grounds, rather than the creationist just saying some crap like, "But the bible said X, therefore you are wrong and I am shutting you out." Everybody wins in a healthy pissing contest. It's a bad analogy, I took a cue from this [slashdot.org] guy.

What an arrogant douchebag

[Serapth]

I mean...

Since NDS fired him he's been consulting for two semiconductor companies and a manufacturer of dongle tokens, but he misses his life in electronic warfare. If NDS doesn't want him, he says he'd be happy to work for Nagrastar -- jumping sides once again. "I could design a whole entire chip for them like I did for NDS," he says. "NDS thinks today that their technology is superior to everybody else's and it probably is, because they're 17 years ahead of Nagra technologically. But Nagra could catch up overnight if they used my services. "I'm a very valuable asset as far as smart-card technology goes," he adds. "I know everything about (NDS) as far as their intellectual property models go."

Then again, its Wired magazine. They exist purely to create arrogant douchebags, dont they?

Re:Interns?

[ResidntGeek]

He's not a scientist, you know; he didn't discover all these things himself. Just learn chemistry and electronics (from books or classes), then go work at a semiconductor manufacturing plant on the assembly line for a while to find out how the chips are assembled and what chemicals are used. You should be well able to figure out what solvents to use at each stage to get a chip apart, and you'll be able to recognize the components on the chip from your electronics knowledge. It's not a simple matter, but that's why there's only a few like him. It's well within your reach if you really want it.

Re:The Video Shows the Holy Grail of Sat Hacking

[TubeSteak]

The best you can do it try to reverse engineer it, and short of an electron microscope, you probably couldn't.

This guy is hacking smart cards with a hood, some off the shelf chemicals, a very precise scratching tool and a pile of computer & electronics gear.

Now realize that one of these days, resources like electron microscopes will be within the grasp of entities that are not a Government, University, or Corporation. It only takes one rich misanthrope...

Re:uh, this is a PR fluff piece

[justinlee37]

The only moral of the story here is that an arrogant, ethics-free mercenary with access to any tool he pleases is given way too much admiration in the twenty first century.

Says who? You? You're just a pompous, self-righteous, moralist dickweed. Don't impose your anachronistic opinions on the rest of us. We don't agree with you.

Re:Accountability?

[conureman]

"Making top officers personally responsible for the actions of the corporation will just create incentives to take risk and innovate legally."

Fixed that.
  With a level,legal, and ethical playing field, the players just have to follow the rules and everything will work out. It's called free enterprise, but at this time it's rigged by the cheaters. Will banning steroids ruin professional baseball? I think not.

Re:Shocking!

[thalassinos]

You probably meant it as a joke, but the most important thing that motivates a true geek itâ(TM)s the challenge (and the bragging rights). /n Most of us do not do it for the money, we do it because (a) we have an innate curiosity, (b) we want to be in control of our machines and (c) because itâ(TM)s there. For example, more than a decade ago I was obsessed with cracking a local broadcasterâ(TM)s encrypted TV signal. They used a (now seriously obsolete) analog irdeto scheme. It took me almost a month and I had to start learning about excrypted analog transmissions from scratch. The net had precious little information on the subject and most of it was obsolete. Funnily enough, cracking/decoding the sound was more difficult than decoding the video. I watched the decrypted signal for maybe a full day, gloated for my accomplishment to a couple of like-minded friends, and then packed everything up and put it on storage. I still have that irdeto decoder somewhere. Last Xmas, I set up a cardserver at my house. I share my Pay TV card through my home network. I use my Debian server at the basement and a 20 Euro card reader. I do not do anything illegal --- I pay for the card and I watch the decrypted TV only in my residence. I can share my card through the internet with friends and family but I _will_not_do_it_. I simply do not care to save a buck, I am rich enough to pay the subscription price, but I am NOT going to pay their extra 9 Euro per month for the right to use a second decoder because I consider it extorion. I like my Dreambox 7025 (Linux/MIPS processor) and my Dreambox 500 (Linux/PowerPC) (See http://en.wikipedia.org/wiki/Dreambox [wikipedia.org]) and I will not accept my providers closed source decoder which they can brick remotely or the fact that they expect that the decoder that I have paid will be bricked if I cancel my subscription. Why the above setup? I want to be able watch TV to ALL rooms of my house without having to lug the decoder from room to room or paying extra (extortion money) for a second decoder. Plus I run a Bittorrent client inside my Sat TV decoder. Plus I stream video through VLC from my PCs to my TV. The kicker? I simply do not watch TV (with the exception of Battlestar Galactica); I average maybe 70-90 minutes per week. During my early twenties I spend almost 4½ years without watching TV. Why do I pay for TV when I do not watch it? My wife nagged me into it. But I managed to convert something of no value to me to something fun. I started writing and cross compiling software for my dreambox for fun. I have changed the software to exactly suite my needs and quirks. What I am getting at, is that for us geeks, accomplishing something that few others can, and satisfying our inane curiosity, is a much stronger motivation than watching the Sunday game for free. Give us a box and tell us that we cannot run Linux on it and you have just made our day.

Re:Motivation

[Tacvek]

However, I'm not sure all is lost for the content protectors out there.

It certainly is... DRM is an inherently untenable system.

Last time I check the P4 and greater smart cards used by directv have not been cracked despite a huge demand for it. If I'm wrong please correct me.

You're wrong about the "huge demand". Since DishNet is wide open (and they were even nice enough to use standard DVB-S protocol which any $50 tuner can receive) there isn't much reason for anyone to bother with DirecTV.

Citation Please. I am a legit E* subscriber, and to the best of my knowledge, only the anti-pirate channels and the FCC-mandated channels (like the NASA channel) are broadcast clear. Well actually, I believe the information channels are also broadcast in the clear. This is so that those information channels can be seen by unactivated E* receivers. My understanding is though that the remaining channels are indeed encrypted.

Re:Other uses for his techniques?

[ChrisMaple]

Examining the chip with a microscope is close to becoming impossible. Today's finest geometry cannot be resolved with an optical microscope. Using EPROM or similar programmable techniques, the function of the chip is determined by stored charges. Whether a transistor is N-type or P-type is determined by doping concentrations, which is also more difficult to determine as the device becomes smaller.

A chip designed with the intent to make it difficult to reverse-engineer can be made economically infeasible to reverse-engineer.