DirecTV mole to plead guilty

Young kid, big mistake

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

A 19-year-old University of Chicago student accused of leaking the secrets of DirectTV's most advanced anti-piracy technology to hacker websites has agreed to plead guilty to violating the rarely used 1996 Economic Espionage Act.

Igor Serebryany is scheduled to appear Monday in federal court in Los Angeles to enter a guilty plea, as part of a plea agreement reached between defense attorneys and prosecutors last week, lawyers for both sides confirmed Wednesday. The plea deal does not stipulate a sentence, which will be governed by federal guidelines, according to the prosecutor in the case.

Passed to meet the perceived threat of foreign espionage against American companies, the Economic Espionage Act carries harsh penalties for stealing trade secrets for personal financial gain, or for a third party's economic benefit. For the first five years of its existence the law could only be used with approval from the Justice Department in Washington -- a limitation that was lifted in March, 2002.

Unlike most defendants charged under the act, Serebryany is not accused of having a personal financial motive -- the student was not himself a satellite TV pirate, and he gave the secrets away for free. Even with a plea agreement in place, that the powerful law was leveled against the teen doesn't sit well with Serebryany's defense lawyers. "We have some problems with the fact that this was filed," says Kiana Sloan-Hillier, one of Serebryany's attorneys. "Clearly, it was not [meant] to be used carelessly."

"It's the crime of stealing trade secrets, so it's properly used when trade secrets are stolen," counters prosecutor James Spertus. "I imagine most people who steal get paid for it, or somehow profit by it... but it's the theft that's the crime. There's no more appropriate statute to use in this case."

Smart Card Hacks

According to an FBI affidavit, Serebryany's adventures began when he found himself with access to some of DirecTV's most coveted technological secrets while working for his uncle at a document imaging company at the office of a Los Angeles law firm, Jones, Day, Reavis and Pogue. The firm was representing the satellite TV company in a lawsuit against NDS, the makers of the smart cards DirecTV uses to control access to its signal.

For years, those smart cards have been at the center of an electronic arms race between satellite TV pirates and the company's own technologists. Each plastic card resembles a credit card, but is a completely self contained microcomputer with its own embedded software and memory. In normal operation, a subscriber inserts the card into a slot in the DirecTV receiver, and a satellite signal from the company tells the receiver which channels, if any, the subscriber is allowed to watch, based on the unique identification number coded into each card.

Each successive generation of DirecTV cards has become more technically advanced, but each has eventually been cracked by sophisticated hackers, largely based in Canada where the company is not licensed to provide service, and where until recently selling hacked access cards and equipment was not a crime.

Serebryany's job gave him access to the internal technical secrets of the newest version of the smart card, the so-called "P4" card, that DirecTV had begun distributing to subscribers, and which satellite hackers were nowhere near conquering. As described by the FBI, the company closely guards those details with security procedures that rival a defense contractor -- confidentiality agreements, high-power encryption, "need to know" access, and an air-gapped computer network. "Whenever a writing references DirecTV's P4 technology, it must be printed on specific colored paper so it can be easily identified on sight, thereby decreasing possible theft of that writing," wrote the FBI of one of the company's precautions.

According to court records, the student began smuggling digitized copies of the papers out of the law firm on CD ROMs, and e-mailing them pseudonymously to the underground. Only a small percentage of the stolen data made its way to public websites, and none of it has yet inspired a successful hack against the cards.

"My personal feeling was he was just kind of a young kid, impressionable, that made a mistake," says "Risestar," a British Columbia man who runs the satellite hacking site PirateDen.com, which received, but apparently did not publish, some of the documents. "He thought he was helping people out and he didn't weigh into account the results of his actions."

Lawsuit Over Hacking Advice

Serebryany's plea agreement comes at a time when DirecTV's lawyers are targeting other sources of hacking information.

Last week the company filed a federal lawsuit against an alleged Illinois satellite TV pirate who uses the online handle "Ump25" to post message to PiratesDen.com and other satellite hacking sites. In addition to allegedly stealing DirecTV service, the complaint charges that Ump25 -- who claims in online forums to be a major league baseball umpire -- posted detailed information on how to hack earlier versions of the DirecTV smart cards, thereby "assisting the unauthorized decryption of satellite programming."

Unlike Serebryany, Ump25 isn't accused of stealing trade secrets -- an important distinction to Risestar, who says the lawsuit is an unprecedented attack on his users' freedom of speech. "It pretty much boils down to a Constitutional issue," says Risestar. "This guy didn't release any specific tools that aided and abetted anyone. All he did was share his knowledge and experiences publicly, and post."

But Marc Zwillinger, the chief litigator in DirecTV's war on piracy, says Ump25's posts aren't much different from posting a DVD descrambling program to the Internet, which has been ruled illegal in the past. "These weren't just instructions like, 'do this and do that.' He was putting up the actual changes to make to the card -- specific code bytes that needed to be changed," says Zwillinger. "People say you should be able to log onto the Internet and say anything. But if you go on the Internet and admit to misconduct, that's called a confession."

© SecurityFocus logo

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.