26-Jan-87 22:40:06-PST,16013;000000000000 Mail-From: NEUMANN created at 26-Jan-87 22:38:31 Date: Mon 26 Jan 87 22:38:31-PST From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS DIGEST 4.43 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest Monday, 26 January 1987 Volume 4 : Issue 43 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: "Cable `Hackers' Claim Scrambler is History"; other breaches (PGN) Re: VideoCypher II (Michael Grant) Re: DES cracked? (Douglas Humphrey) Re: Billions (Brian Randell) GM On-Board Computers (Wes Williams) Active control of skyscrapers (Peter G. Capek) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. MAXj: Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.) ---------------------------------------------------------------------- Date: Mon 26 Jan 87 21:05:14-PST From: Peter G. Neumann Subject: "Cable `Hackers' Claim Scrambler is History"; other breaches To: RISKS@CSL.SRI.COM SF Chron 26 Jan 87, page 3 (from UPI): A year-old "unbreakable" scrambler that has kept satellite dish owners from receiving pay television channels free has been broken... The article describes the "Three Musketeers" chip, which you can use to replace a chip in the $395 decoder if you have any legitimate pay channel. It then goes on to quote Captain Midnight, who claims that an even more devastating breach has been discovered that does not even require the "Three Musketeers" chip! He recommends you not waste your money on the hot chip. By the way, recently SECURITY@RUTGERS has had quite a few items of interest to RISKS readers. Here are two: Given an Ethernet board, you can read ALL of the network traffic by flipping a single bit. A Sun System security breach was described, compromised via unpassworded special accounts. Some of the experiments with Gould's allegedly secure UNIX. ------------------------------ Date: Sat, 24 Jan 87 12:24:06 EST From: Michael Grant To: risks@csl.sri.com, security@rutgers.rutgers.edu Subject: Re: VideoCypher II >David Platt notes: >If, for example, the box had been provided with a cover-removal switch that >would signal the micro to erase it's subscriber number... Always best to eliminate the problem by redesigning that part in the next generation of the cypher so that such important numbers as that never leave the internals of chips. At that point, it becomes much more of a pain to probe than it may be worth, but...not entirly imposible. ------------------------------ Date: Sun, 25 Jan 87 14:42:09 EST From: Douglas Humphrey To: dplatt@teknowledge-vaxc.ARPA, risks@csl.sri.com, security@rutgers.rutgers.edu Subject: Re: DES cracked? >Way #3: someone's actually found a way of identifying the key of a DES >transmission, with (or possibly without) the unscrambled "plaintext" >audio as a starting point. Note that they can easily have the plaintext, since the best way to start experimenting on breaking something is to have two devices there, one subscribed and authorized, and the other not. That way you have (subject to trivial timing differences which can be ironed out) two streams of data to play with, and you really are just trying to make one look like the other. On another note, does anyone know of any good spectrum analysis software available for cheap to work with reasonable priced A/D converters ? There are a number of companies that sell the hardware required to eat signals, but most of the software that I have seen for actualy analysing the data is pretty weak. Maybe I'm just not in touch with the right companies... Doug ------------------------------ From: Brian Randell Date: Mon, 26 Jan 87 18:37:17 gmt To: Neumann@csl.sri.com Subject: Re: Billions ReSent-To: RISKS@CSL.SRI.COM Oops! Sorry - I am usually more careful about transatlantic differences in the meaning of "billion", though (regretfully) there is a growing tendency for at least the popular newspapers in the UK to conform to US usage re "billion", presumably because a "billion" is shorter and sounds more impressive than "a thousandmillion" and few people know that the proper English (or, if you insist, British) term for this is "milliard" - a term which does not seem to exist in American. In fact my Webster's Dictionary (I smuggled one into the UK with me when I left IBM) tells me that above one million, all the names differ across the Atlantic, even "septillion", "quattuordecillion", "novemdecillion", etc. I wonder whether any actual (computer-based) risks have arisen to the public from this confusion over billion - to match those that surely must have arisen over imperial vs metric scales, celsius vs fahrenheit, etc. For example, Edsger Dijkstra told me once of a remote manipulator built for the Anglo-Dutch firm Shell Oil which was usable only by a giant because it was built in metres instead of feet. And I recall, from my early days with the Atomic Power Division of English Electric, that our nuclear reactor codes had to deal with reactor designs in which the coolant entered a heat-exchanger (from something designed by physicists) in degrees centigrade (as it then was) and left (this domain of engineers) in degrees fahrenheit. Cheers, Brian [One such case was the Discovery laser experiment, which aimed upward to a point 10,023 MILES above sea level instead of downward to a point 10,023 FEET above sea level (a mountain top). Another was the $.5M transaction that became $500M because of nonagreement on units. Both (coincidentally) are described in Software Engineering Notes vol 10 no 3, which appeared just before the on-line RISKS Forum began. PGN] ------------------------------ Date: Sat 24 Jan 87 11:20:49-EST From: "Wes Williams" Subject: GM On-Board Computers [lightly edited] To: RISKS@CSL.SRI.COM As I have spent some time in the automotive repair field, I have come across an anomaly when General Motors' main computer system repairs are performed. I share it with you here. In two years after 1980 ( the year when GM installed an on-board computer on the vast majority of its models ) the repair facilities had a tendency to replace the complete computer assembly rather than troubleshoot the problem extensively. This was the transition period. Repair people were unfamiliar with the approriate procedures and also had a tendency to replace (Well I ain't ever done one of these before, boss!) rather than understand and repair an associated problem. During these two years, I replaced only two computers. One was from a car involved in an electrical fire, the other was in a car that had collision damage on the right side, close to the computer, and the computer was damaged (visibly). In 1985 I was troubleshooting a 1981 Cadillac that had the infamous 8-6-4 engine with a power-on stutter. I found a broken (cracked) distributor cap and saw High voltage (30-60,000 volts) shooting from the cap to the lead that was coming from the computer. This was the electronic timing advance control circuit. I replaced the bad cap, retested the car, and found that the problem was better but had not disappeared. All other associated tests were performed and no other problems were found except that the diagnostics generated by the on-board computer were all out of whack. On this model Caddy, if you press the climate control buttons you will get a diagnostic check run off by the cpu. The readout comes out as two-digit numbers on the temperature control. These numbers were never the same, and some were not within the diagnostic capability of the cpu. I was now in the position of the other fellows and said, "Well, gotta replace the cpu." A logical conclusion, knowing that the readout was not right, as well as seeing high voltages heading for the cpu. I pulled the cpu, headed for GM parts and was shocked to learn that I could not purchase a complete unit (proms included), I had to remove the old proms and install them in the "rebuilt" computer. Seemed a little dumb when the cpu was subjected to high voltages, to keep the old proms. After the change of cpu's and installation of old proms, there was no change in the operation of the engine. I quit and gave the car to Cadillac to repair. They spent untold hours on it, communicated with the Caddy hot line, had service reps around from the factory and made a large number of updates to a variety of systems as well as unnecessary other changes. Total bill? = $0.00. Even they couldn't fix it. It is running better, the stutter is still there, the car is on the road and getting slightly lower than average mileage. (sigh) Summary: To GM --> Why can't one replace the proms to the CPU. Are they burned in with detailed specific instructions according to each cars engine performance? To the public--> when a GM computer is replaced, the "core charge" or trade-in on the malfunctioning cpu is close to $300.00, so that drops the price of the cpu from $500.00 to $200.00. Watch your bills here!! (These figures are + or - $50.00 for the component only, not the labor.) To the technical types. --> It would seem feasible to design a program and attaching hardware to diagnose (at least one type (say GM)) of an on-board computer with a P.C. I know that Caddy spent at least 40 hours on this problem. At the labor rate of $38.00 per hour and knowing that there are other similar occurrences, there has to be some money to be made in the purchase of such a system as well as the sale. Quote 1: "Not knowing the answer is only being uneducated." Quote 2: "Not knowing where to look for the answer is being 'uninformed'." Quote 3: "When the product is a common one, and none know where to look for the answer, nor know it, this is truly ignorance." ------------------------------ Date: 26 January 1987, 20:37:17 EST From: "Peter G. Capek" To: risks@csl.sri.com, mnnnari!goanna.oz!wjb@seismo.css.gov Subject: Active control of skyscrapers Catching up on my reading, I noticed the recent discussion in RISKS about active control of skyscrapers. If this is still of interest, I offer the following excerpts from an article I happened across some years ago and clipped. It appeared in Engineering News Record, August 18, 1977. TUNE MASS DAMPERS STEADY SWAY OF SKYSCRAPERS IN WIND A 50-year-old idea of using the inertia of a heavy floating mass to tame the sway of a tall building is now getting its first real tryout in New York City and Boston skyscrapers. Citicorp Center in New York and Boston's Hancock Tower are newly fitted out with so-called tuned mass dampers, the first in tall buildings in the U.S., according to the designers of the systems, structural consultant LeMessurier Associates/SCI, Cambridge, Mass, and MTS Systems Corp., the manufacturer, Minneapolis. A tuned mass damper (TMD) consists of a heavy weight installed near a building's top in such a way that it tends to remain still while the building moves beneath it and in away that it can transmit this inertia to the building's frame, thereby reducing the building's motion. The mass itself need weigh only 0.25% to 0.75% of the building's total weight. When activated, it becomes free-floating (or "levitates" as its designers like to say) by rising on a nearly frictionless film of oil. Piston-like connectors, which are pneumatic springs in which pistons react against compressed nitrogen, are attached both to the mass and the building frame so that as the building sways away from the mass, the springs pull the building pack to the center. "Tuned" simply means the mass can be caused to move in a natural period equal to the building's natural period so that it will be more effective in counteracting the building's motion. During a heavy wind storm, the mass might appear to move in relation to the building some 2 to 4 ft. ... A TMD is a device to minimize the discomfort experienced by occupants when a building is swaying. As such, it can be used in place of adding structural steel to stiffen a building or adding concerete to weigh it down, which designers say is a much more costly way of reducing uncomfortable levels of motion. To the engineers who designed it, the TMD is a positive approach to relieving wind-induced building motion because it counteracts motion rather than first receiving it and then deadening it, which is the inefficient and more costly result of substantially increasing mass or stiffness. ... A TMD's advantage becomes academic in a power failure. It needs electricity to work and if that's lost in a heavey wind storm, when the TMD would be most needed, it won't work. ... The TMD designed for Citicorp's slender 914-foot tower in midtown Manhattan has a mass block of concrete 30 x 30 x 10 feet, with cutouts for attachments, that weighs 400 tons. It has two spring-damping mechanisms, one to counteract north-south motion and one for east-west motion. It also has an antiyaw device to prevent the mass block from twisting, a failsafe device consisting of shock absorbers and sunbbers to resist excessive or eccentric motion, and a control system that collects data on the building's motion and controls the response of the mass. It is located in a speciall designed space in the building's 59th floor, which is supported by trusses below. It is designed to activate at an acceleration of 3 milli-g's, which could be caused by about a 40-mph wind, and it is designed to prevent the building from deflecting more than 12 to 13 inches. LeMessurier estimates Citicorp's TMD, which cost about $1.5 million, saved overall a possible $3.5 to $4 million that would have been spent to add some 28,000 tons of structural steel to stiffen the frame and floor concrete to add weight. The TMD for the John Hancock Mutual Life Insurance Co.'s glass-clad landmark in Boston is somewhat different. First of all ... it was added as an afterthought when architect I.M. Pei & Partners realized that the building had insufficient wind bracing to prevent occupant discomfort. Secondly, Hancock Tower is rectangular in plan and is a frame building, unlike Citicorp's essentially bearing wall structure. For Hancock, then, LeMessurier placed two TMD's, one at either end of the 58th floor. Because of the building's shape and location, it must counteract mainly east-west winds and a twisting force. The dampers, then, move only in an east-west direction and can be induced to work together or in opposition to stablize the building. They are located 220 feet apart, and when moving in opposition act in effect as a 220-ft lever arm to resist twisting. A Hancock building official wouldn't reveal what it cost to add the dampers, which designers say could reduce the building's swaying motion a full 40 to 50% under what it had originally been designed for. ... Peter G. Capek, IBM Research -- Yorktown Heights, New York ------------------------------ End of RISKS-FORUM Digest ************************ -------