[ISN] DirecTV mole to plead guilty

From: InfoSec News (isnat_private)
Date: Thu Apr 24 2003 - 18:45:51 PDT

  • Next message: InfoSec News: "[ISN] The paranoia that paid off"

    http://www.theregister.co.uk/content/55/30393.html
    
    By Kevin Poulsen
    SecurityFocus
    Posted: 24/04/2003 
    
    A 19-year-old University of Chicago student accused of leaking the
    secrets of DirectTV's most advanced anti-piracy technology to hacker
    websites has agreed to plead guilty to violating the rarely used 1996
    Economic Espionage Act.
    
    Igor Serebryany is scheduled to appear Monday in federal court in Los
    Angeles to enter a guilty plea, as part of a plea agreement reached
    between defense attorneys and prosecutors last week, lawyers for both
    sides confirmed Wednesday. The plea deal does not stipulate a
    sentence, which will be governed by federal guidelines, according to
    the prosecutor in the case.
    
    Passed to meet the perceived threat of foreign espionage against
    American companies, the Economic Espionage Act carries harsh penalties
    for stealing trade secrets for personal financial gain, or for a third
    party's economic benefit. For the first five years of its existence
    the law could only be used with approval from the Justice Department
    in Washington -- a limitation that was lifted in March, 2002.
    
    Unlike most defendants charged under the act, Serebryany is not
    accused of having a personal financial motive -- the student was not
    himself a satellite TV pirate, and he gave the secrets away for free.  
    Even with a plea agreement in place, that the powerful law was leveled
    against the teen doesn't sit well with Serebryany's defense lawyers.  
    "We have some problems with the fact that this was filed," says Kiana
    Sloan-Hillier, one of Serebryany's attorneys. "Clearly, it was not
    [meant] to be used carelessly."
    
    "It's the crime of stealing trade secrets, so it's properly used when
    trade secrets are stolen," counters prosecutor James Spertus. "I
    imagine most people who steal get paid for it, or somehow profit by
    it... but it's the theft that's the crime. There's no more appropriate
    statute to use in this case."
    
    
    Smart Card Hacks
    
    According to an FBI affidavit, Serebryany's adventures began when he
    found himself with access to some of DirecTV's most coveted
    technological secrets while working for his uncle at a document
    imaging company at the office of a Los Angeles law firm, Jones, Day,
    Reavis and Pogue. The firm was representing the satellite TV company
    in a lawsuit against NDS, the makers of the smart cards DirecTV uses
    to control access to its signal.
    
    For years, those smart cards have been at the center of an electronic
    arms race between satellite TV pirates and the company's own
    technologists. Each plastic card resembles a credit card, but is a
    completely self contained microcomputer with its own embedded software
    and memory. In normal operation, a subscriber inserts the card into a
    slot in the DirecTV receiver, and a satellite signal from the company
    tells the receiver which channels, if any, the subscriber is allowed
    to watch, based on the unique identification number coded into each
    card.
    
    Each successive generation of DirecTV cards has become more
    technically advanced, but each has eventually been cracked by
    sophisticated hackers, largely based in Canada where the company is
    not licensed to provide service, and where until recently selling
    hacked access cards and equipment was not a crime.
    
    Serebryany's job gave him access to the internal technical secrets of
    the newest version of the smart card, the so-called "P4" card, that
    DirecTV had begun distributing to subscribers, and which satellite
    hackers were nowhere near conquering. As described by the FBI, the
    company closely guards those details with security procedures that
    rival a defense contractor -- confidentiality agreements, high-power
    encryption, "need to know" access, and an air-gapped computer network.  
    "Whenever a writing references DirecTV's P4 technology, it must be
    printed on specific colored paper so it can be easily identified on
    sight, thereby decreasing possible theft of that writing," wrote the
    FBI of one of the company's precautions.
    
    According to court records, the student began smuggling digitized
    copies of the papers out of the law firm on CD ROMs, and e-mailing
    them pseudonymously to the underground. Only a small percentage of the
    stolen data made its way to public websites, and none of it has yet
    inspired a successful hack against the cards.
    
    "My personal feeling was he was just kind of a young kid,
    impressionable, that made a mistake," says "Risestar," a British
    Columbia man who runs the satellite hacking site PirateDen.com, which
    received, but apparently did not publish, some of the documents. "He
    thought he was helping people out and he didn't weigh into account the
    results of his actions."
    
    
    Lawsuit Over Hacking Advice
    
    Serebryany's plea agreement comes at a time when DirecTV's lawyers are
    targeting other sources of hacking information.
    
    Last week the company filed a federal lawsuit against an alleged
    Illinois satellite TV pirate who uses the online handle "Ump25" to
    post message to PiratesDen.com and other satellite hacking sites. In
    addition to allegedly stealing DirecTV service, the complaint charges
    that Ump25 -- who claims in online forums to be a major league
    baseball umpire -- posted detailed information on how to hack earlier
    versions of the DirecTV smart cards, thereby "assisting the
    unauthorized decryption of satellite programming."
    
    Unlike Serebryany, Ump25 isn't accused of stealing trade secrets -- an
    important distinction to Risestar, who says the lawsuit is an
    unprecedented attack on his users' freedom of speech. "It pretty much
    boils down to a Constitutional issue," says Risestar. "This guy didn't
    release any specific tools that aided and abetted anyone. All he did
    was share his knowledge and experiences publicly, and post."
    
    But Marc Zwillinger, the chief litigator in DirecTV's war on piracy,
    says Ump25's posts aren't much different from posting a DVD
    descrambling program to the Internet, which has been ruled illegal in
    the past. "These weren't just instructions like, 'do this and do
    that.' He was putting up the actual changes to make to the card --
    specific code bytes that needed to be changed," says Zwillinger.  
    "People say you should be able to log onto the Internet and say
    anything. But if you go on the Internet and admit to misconduct,
    that's called a confession."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Apr 25 2003 - 01:47:59 PDT