1-May-86 23:47:02-PDT,9220;000000000000 Mail-From: NEUMANN created at 1-May-86 23:44:58 Date: Thu 1 May 86 23:44:57-PDT From: RISKS FORUM (Peter G. Neumann, Coordinator) Subject: RISKS-2.47 Sender: NEUMANN@SRI-CSL.ARPA To: RISKS-LIST@SRI-CSL.ARPA RISKS-LIST: RISKS-FORUM Digest, Thursday, 1 May 1986 Volume 2 : Issue 47 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: HBO hacking (Phil R. Karn, Dan Franklin) What are the limits to simulation? (Herb Lin) Strategic Systems Reliability Testing (Herb Lin) Correction on Challenger Discussion (Jeff Siegal) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA.) (Back issues Vol i Issue j stored in SRI-CSL:RISKS-i.j. Vol 1: MAXj=45) ---------------------------------------------------------------------- Date: Wed, 30 Apr 86 17:58:40 edt From: karn@mouton.bellcore.com (Phil R. Karn) To: risks@sri-csl.arpa Subject: HBO hacking Satellite transponders used by the cable TV industry to relay programs are "bent pipes", that is, they simply repeat whatever they hear. The M/A-Com scrambler equipment is all on the ground. However, the descramblers will switch to "pass through" mode if a nonscrambled signal is received. Therefore, when Captain Midnite sent his unencoded signal, the descramblers simply passed the signal straight through to the various cable systems. The transmitter power available on a satellite is very limited (5-10 watts). Even with a very large receiver dish, the raw carrier-to-noise ratio is far too low for acceptable picture quality if a linear modulation scheme (such as VSB AM, used for ordinary TV broadcasting) were used. Therefore, satellite TV transmissions are instead sent as wideband FM in a 40 MHz bandwidth. Since the baseband video signal is only 5 MHz wide, this results in a fairly large "FM improvement ratio" and a pronounced "capture" effect. Full receiver capture occurs at about a 10 dB S/N ratio, and this figure is essentially the same whether the "noise" is in fact thermal noise or another uplink signal. So for the purposes of fully overriding another uplink your signal must be about 10 dB stronger (10 times the power). The latest transponders are much more sensitive than those on the earliest C-band domestic satellites launched 12 years ago. Most of the 6 Ghz High Power Amplifiers (HPAs) in use at uplink stations are therefore capable of several kilowatts of RF output, but are actually operated at only several hundred watts. So Captain Midnite could have easily captured the HBO uplink if he had access to a "standard" uplink station (capable of several kilowatts into a 10 meter dish) or equivalent. I happened to turn on HBO in my Dayton, Ohio hotel room at about 1AM, half an hour after the incident occurred, and noticed lots of "sparklies" (FM noise) in the picture. At the time I grumbled something about having to pay $90/night for a hotel that couldn't even keep their dish pointed at the satellite, but I now suspect that the pirate was still on the air but that HBO had responded by cranking up the wick on their own transmitter. Because they were unable to run 10 dB above the pirate's power level, they were unable to fully recapture the transponder, hence the sparklies. (Can anyone else confirm seeing this, proving that my hotel wasn't in fact at fault?) Even though each transponder has a bandwidth of 40 MHz, it is separated by only 20 MHz from its neighbors. Alternating RF polarization is used to reduce "crosstalk" below the FM capture level. Polarization "diversity" isn't perfect, though, so it is possible in such a "power war" that the adjacent transponders could be interfered with, requiring *their* uplinks to compensate, which would in turn require *their* neighbors to do the same, and so on. So Captain Midnite could cause quite a bit of trouble for all the users of the satellite, not just HBO. Captain Midnite could have been anywhere within the Continental US, Southern Canada, Northern Mexico, the Gulf of Mexico, etc. In the worst case, it could be practically impossible to locate him. If he is caught, it will be either because he shoots off his mouth, arouses suspicion among his neighbors (or fellow workers, if a commercial uplink station), or transmits something (distinctive character generator fonts, etc) that gives him away. Only the NSA spooksats would be capable of locating him from his transmissions alone, and I suspect even they would require much on-air time to pinpoint the location accurately enough to begin an aerial search. Phil Karn ------------------------------ Date: Wed, 30 Apr 86 18:11:02 EDT From: Dan Franklin To: risks@sri-csl.arpa Subject: HBO hacking Re the interception of HBO's uplink by "Captain Midnight": I understand that the video scrambling is indeed pretty simple, consisting of reversing black and white on some "randomly-chosen" scan lines. It's easy to build a box that will undo this scrambling. The sound is much harder; it uses DES. In the accounts I read, Captain Midnight just put up a still video picture with no sound, which would make sense assuming that the uplink is encoded; he could easily encode his video but not his sound. Nicholas Spies seems to feel that the scrambling was purely an act of malice against individuals with dishes. Not so; according to a recent issue of Forbes, when HBO started scrambling, a number of CABLE TV OPERATORS they'd never heard of signed up for the decoders! If cable TV operators can charge their customers for HBO, why should they get it for free? I had some other comments about what the FCC Communications Act really says and what "public" means, but this is getting awfully far from Risks... "Telecom" and "poli-sci" are no doubt more appropriate. Dan Franklin (dan@bbn.com) [Thanks for the restraint. However, the relevance of the HBO case to RISKS is clear. Various risks exist -- but have been customarily ignored: easy free reception and spoofing without scrambling, video spoofing and denial of service even with scrambling. PGN] ------------------------------ Date: Thu, 1 May 86 10:43:02 EDT From: Herb Lin Subject: What are the limits to simulation? To: eugene@AMES-NAS.ARPA cc: RISKS@SRI-CSL.ARPA, LIN@MC.LCS.MIT.EDU From: eugene at AMES-NAS.ARPA (Eugene Miya) I really wonder what simulation's various limits are. I believe it was Eddington that said "The Universe is not only stranger than we imagine, but it is stranger than we can imagine." ------------------------------ Date: Thu, 1 May 86 10:41:18 EDT From: Herb Lin Subject: Strategic Systems Reliability Testing To: ball@MITRE.ARPA cc: RISKS@SRI-CSL.ARPA, LIN@MC.LCS.MIT.EDU, ARMS-D@MC.LCS.MIT.EDU From: ball at mitre.ARPA (Dan Ball) I'm relatively certain that the numbers of warheads actually reaching the target following the initiation of an attack would be far less than the numbers in the inventories. Probably true, if what you mean by target is a hardened silo. But if you aim at the center of a city, and you miss by a mile, that's still "reaching the target" too. And THAT is what the SDI is supposed to protect us against. Finally, the briefing from SDI office that I heard didn't promise perfection. Unlike some of the political supporters who promise that it will be safe for children to play outside during a nuclear exchange, the SDI technical types were talking about the impact it would have on the numbers and required modifications to the Soviet ICBMs that would be required for them to maintain the same confidence of assured first strike destruction of the US. None of the technical supporters believe in near-perfect defense. But the political supporters do, and they are lying to the public. ------------------------------ From: Jeff Siegal Date: Thu 1 May 86 18:15:43-EDT Subject: Correction on Challenger Discussion (RISKS-2.46) To: RISKS%SRI-CSL@EDDIE.MIT.EDU > "... Dr. William Doering, professor of chemistry at Harvard, pointed > out that ... was not an explosion at all. 'It is best described > as a fast fire ... If the fuel tank had exploded ... it would be > producing something much bigger ... " [...] Also, why did he wait until the crew module was found? Why didn't he say after seeing the pictures, "That's not an explosion, it's just a fast fire." It is stated in the original column that Dr. Doering's observation _was_ made when he watched the videotape, not months later, as Mr. Moore claims. Jeff Siegal ------------------------------ End of RISKS-FORUM Digest ************************ -------