Is History always stuttering? In 2002, French broadcaster Canal+ sued NDS for having reverse engineered the software of its smart card, and having organized the leakage of the pirated software through the site DR7.com. Christopher TARNOVSKY, a former hacker known as “Big Gun” and employee of NDS, was supposed to have participated to the operation. The complete story is worth the best spying books or Hollywood action movies.
Six years later, the same story again but with Dish Network. Christopher TARNOVSKY is testifying in front of a court. He recognizes that he worked for NDS and that he wrote a tool “the stinger” able to communicate with any smart cards. He claimes that he did not use his skills to break Dish Network’s security. NDS recognizes that it did reverse engineer the smart cards and then enhance their security to create a better product. NDS denies that it is disseminated the code of pirate cards.
Communicating with any card is not the difficult part. Accessing the code and data of the card is difficult. Reverse engineering a piece of software, or hardware is a common practice in security research. The only way to validate the strength of a secure system is to attack it. And that must be done by a team different from the team that designed the system. Furthermore, the attacking team must have hacking skills to “mimick” the real world environment.
Therefore, for a security company to hire skilled people to evaluate their security is a good practice. Of course, there is always some related risk. There must be a strong trust relation between the attacking and designing teams.
Once more, security is about TRUST.