The RISKS Digest
Volume 4 Issue 43

Monday, 26th January 1987

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information features enabled by clicking the flashlight icon above. They are described in the news page. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o "Cable `Hackers' Claim Scrambler is History"; other breaches
o Re: VideoCypher II
Michael Grant
o Re: DES cracked?
Douglas Humphrey
o Re: Billions
Brian Randell
o GM On-Board Computers
Wes Williams
o Active control of skyscrapers
Peter G. Capek
o Info on RISKS (comp.risks)

"Cable `Hackers' Claim Scrambler is History"; other breaches

Peter G. Neumann <Neumann@CSL.SRI.COM>
Mon 26 Jan 87 21:05:14-PST
  SF Chron 26 Jan 87, page 3 (from UPI):

  A year-old "unbreakable" scrambler that has kept satellite dish owners
  from receiving pay television channels free has been broken...

The article describes the "Three Musketeers" chip, which you can use to
replace a chip in the $395 decoder if you have any legitimate pay channel.
It then goes on to quote Captain Midnight, who claims that an even more
devastating breach has been discovered that does not even require the "Three
Musketeers" chip! He recommends you not waste your money on the hot chip.

By the way, recently SECURITY@RUTGERS has had quite a few items of interest
to RISKS readers.  Here are two:

  Given an Ethernet board, you can read ALL of the network traffic by
  flipping a single bit.

  A Sun System security breach was described, compromised via unpassworded
  special accounts.

  Some of the experiments with Gould's allegedly secure UNIX.

Re: VideoCypher II

Michael Grant <>
Sat, 24 Jan 87 12:24:06 EST
>David Platt notes:
>If, for example, the box had been provided with a cover-removal switch that
>would signal the micro to erase it's subscriber number...

Always best to eliminate the problem by redesigning that part in the
next generation of the cypher so that such important numbers as that
never leave the internals of chips.  At that point, it becomes much
more of a pain to probe than it may be worth, but...not entirly imposible.

Douglas Humphrey <>
Sun, 25 Jan 87 14:42:09 EST
Subject: Re: DES cracked?

>Way #3: someone's actually found a way of identifying the key of a DES
>transmission, with (or possibly without) the unscrambled "plaintext"
>audio as a starting point.

Note that they can easily have the plaintext, since the best way to
start experimenting on breaking something is to have two devices
there, one subscribed and authorized, and the other not. That way you
have (subject to trivial timing differences which can be ironed out)
two streams of data to play with, and you really are just trying to 
make one look like the other. 

On another note, does anyone know of any good spectrum analysis 
software available for cheap to work with reasonable priced A/D
converters ? There are a number of companies that sell the hardware
required to eat signals, but most of the software that I have seen
for actualy analysing the data is pretty weak. Maybe I'm just not
in touch with the right companies...

Re: Billions

Brian Randell <>
Mon, 26 Jan 87 18:37:17 gmt
Oops! Sorry - I am usually more careful about transatlantic differences in
the meaning of "billion", though (regretfully) there is a growing tendency
for at least the popular newspapers in the UK to conform to US usage re
"billion", presumably because a "billion" is shorter and sounds more
impressive than "a thousandmillion" and few people know that the proper
English (or, if you insist, British) term for this is "milliard" - a term
which does not seem to exist in American.

In fact my Webster's Dictionary (I smuggled one into the UK with me when I
left IBM) tells me that above one million, all the names differ across the
Atlantic, even "septillion", "quattuordecillion", "novemdecillion", etc.

I wonder whether any actual (computer-based) risks have arisen to the public
from this confusion over billion - to match those that surely must have
arisen over imperial vs metric scales, celsius vs fahrenheit, etc.  For
example, Edsger Dijkstra told me once of a remote manipulator built for the
Anglo-Dutch firm Shell Oil which was usable only by a giant because it was
built in metres instead of feet.  And I recall, from my early days with the
Atomic Power Division of English Electric, that our nuclear reactor codes
had to deal with reactor designs in which the coolant entered a
heat-exchanger (from something designed by physicists) in degrees centigrade
(as it then was) and left (this domain of engineers) in degrees fahrenheit.

Cheers, Brian

  [One such case was the Discovery laser experiment, which aimed upward to a
   point 10,023 MILES above sea level instead of downward to a point 10,023
   FEET above sea level (a mountain top).  Another was the $.5M transaction
   that became $500M because of nonagreement on units.  Both (coincidentally) 
   are described in Software Engineering Notes vol 10 no 3, which appeared
   just before the on-line RISKS Forum began.  PGN]

GM On-Board Computers [lightly edited]

Sat 24 Jan 87 11:20:49-EST
     As I have spent some time in the automotive repair field, I have come
across an anomaly when General Motors' main computer system repairs are
performed.  I share it with you here.

     In two years after 1980 ( the year when GM installed an on-board
computer on the vast majority of its models ) the repair facilities had a
tendency to replace the complete computer assembly rather than troubleshoot
the problem extensively.  This was the transition period.  Repair people
were unfamiliar with the approriate procedures and also had a tendency to
replace (Well I ain't ever done one of these before, boss!) rather than
understand and repair an associated problem.

     During these two years, I replaced only two computers.  One was from a
car involved in an electrical fire, the other was in a car that had
collision damage on the right side, close to the computer, and the computer
was damaged (visibly).

     In 1985 I was troubleshooting a 1981 Cadillac that had the infamous
8-6-4 engine with a power-on stutter.  I found a broken (cracked) distributor
cap and saw High voltage (30-60,000 volts) shooting from the cap to the lead
that was coming from the computer.  This was the electronic timing advance
control circuit.  I replaced the bad cap, retested the car, and found that
the problem was better but had not disappeared.  All other associated tests
were performed and no other problems were found except that the diagnostics
generated by the on-board computer were all out of whack.  On this model
Caddy, if you press the climate control buttons you will get a diagnostic
check run off by the cpu.  The readout comes out as two-digit numbers on the
temperature control. These numbers were never the same, and some were not
within the diagnostic capability of the cpu.

     I was now in the position of the other fellows and said, "Well, gotta
replace the cpu." A logical conclusion, knowing that the readout was not
right, as well as seeing high voltages heading for the cpu.

     I pulled the cpu, headed for GM parts and was shocked to learn that I
could not purchase a complete unit (proms included), I had to remove the old
proms and install them in the "rebuilt" computer.  Seemed a little dumb when
the cpu was subjected to high voltages, to keep the old proms.

     After the change of cpu's and installation of old proms, there was no
change in the operation of the engine. I quit and gave the car to Cadillac to
repair. They spent untold hours on it, communicated with the Caddy hot line,
had service reps around from the factory and made a large number of updates
to a variety of systems as well as unnecessary other changes.  Total bill?   
=   $0.00.  Even they couldn't fix it. It is running better, the stutter is
still there, the car is on the road and getting slightly lower than average
mileage.   (sigh)

     Summary:              To GM --> Why can't one replace the proms to the
CPU. Are they burned in with detailed specific instructions according to each
cars engine performance?

             To the public--> when a GM computer is replaced, the "core
charge" or trade-in on the malfunctioning cpu is close to $300.00, so that
drops the price of the cpu from $500.00 to $200.00.  Watch your bills here!!
(These figures are + or - $50.00 for the component only, not the labor.)

             To the technical types. --> It would seem feasible to design a
program and attaching hardware to diagnose (at least one type (say GM)) of
an on-board computer with a P.C.  I know that Caddy spent at least 40 hours
on this problem.  At the labor rate of $38.00 per hour and knowing that there
are other similar occurrences, there has to be some money to be made in the
purchase of such a system as well as the sale.

   Quote 1: "Not knowing the answer is only being uneducated."

   Quote 2: "Not knowing where to look for the answer is being 'uninformed'."

   Quote 3: "When the product is a common one, and none know where to look
             for the answer, nor know it, this is truly ignorance."

Active control of skyscrapers

"Peter G. Capek" <>
26 January 1987, 20:37:17 EST
Catching up on my reading,  I noticed the recent discussion in RISKS about
active control of skyscrapers.  If this is still of interest, I offer the
following excerpts from an article I happened across some years ago and
clipped.  It appeared in Engineering News Record, August 18, 1977.


A 50-year-old idea of using the inertia of a heavy floating mass to tame the
sway of a tall building is now getting its first real tryout in New York
City and Boston skyscrapers.  Citicorp Center in New York and Boston's
Hancock Tower are newly fitted out with so-called tuned mass dampers, the
first in tall buildings in the U.S., according to the designers of the
systems, structural consultant LeMessurier Associates/SCI, Cambridge, Mass,
and MTS Systems Corp., the manufacturer, Minneapolis.

A tuned mass damper (TMD) consists of a heavy weight installed near a
building's top in such a way that it tends to remain still while the
building moves beneath it and in away that it can transmit this
inertia to the building's frame, thereby reducing the building's motion.

The mass itself need weigh only 0.25% to 0.75% of the building's total
weight.  When activated, it becomes free-floating (or "levitates" as its
designers like to say) by rising on a nearly frictionless film of oil.
Piston-like connectors, which are pneumatic springs in which pistons react
against compressed nitrogen, are attached both to the mass and the building
frame so that as the building sways away from the mass, the springs pull the
building pack to the center.

"Tuned" simply means the mass can be caused to move in a natural period
equal to the building's natural period so that it will be more effective in
counteracting the building's motion.  During a heavy wind storm, the mass
might appear to move in relation to the building some 2 to 4 ft.  ...

A TMD is a device to minimize the discomfort experienced by occupants when a
building is swaying.  As such, it can be used in place of adding structural
steel to stiffen a building or adding concerete to weigh it down, which
designers say is a much more costly way of reducing uncomfortable levels of
motion.  To the engineers who designed it, the TMD is a positive approach to
relieving wind-induced building motion because it counteracts motion rather
than first receiving it and then deadening it, which is the inefficient and
more costly result of substantially increasing mass or stiffness.  ...

A TMD's advantage becomes academic in a power failure.  It needs electricity
to work and if that's lost in a heavey wind storm, when the TMD would be
most needed, it won't work.  ...

The TMD designed for Citicorp's slender 914-foot tower in midtown Manhattan
has a mass block of concrete 30 x 30 x 10 feet, with cutouts for attachments,
that weighs 400 tons.  It has two spring-damping mechanisms, one to
counteract north-south motion and one for east-west motion.  It also has an
antiyaw device to prevent the mass block from twisting, a failsafe device
consisting of shock absorbers and sunbbers to resist excessive or eccentric
motion, and a control system that collects data on the building's motion
and controls the response of the mass.  It is located in a speciall designed
space in the building's 59th floor, which is supported by trusses below.
It is designed to activate at an acceleration of 3 milli-g's, which could
be caused by about a 40-mph wind, and it is designed to prevent the building
from deflecting more than 12 to 13 inches.

LeMessurier estimates Citicorp's TMD, which cost about $1.5 million, saved
overall a possible $3.5 to $4 million that would have been spent to add some
28,000 tons of structural steel to stiffen the frame and floor concrete to
add weight.

The TMD for the John Hancock Mutual Life Insurance Co.'s glass-clad landmark
in Boston is somewhat different.  First of all ... it was added as an
afterthought when architect I.M. Pei & Partners realized that the building
had insufficient wind bracing to prevent occupant discomfort.  Secondly,
Hancock Tower is rectangular in plan and is a frame building, unlike
Citicorp's essentially bearing wall structure.  For Hancock, then,
LeMessurier placed two TMD's, one at either end of the 58th floor.  Because
of the building's shape and location, it must counteract mainly east-west
winds and a twisting force.  The dampers, then, move only in an east-west
direction and can be induced to work together or in opposition to stablize
the building.  They are located 220 feet apart, and when moving in
opposition act in effect as a 220-ft lever arm to resist twisting.  A
Hancock building official wouldn't reveal what it cost to add the dampers,
which designers say could reduce the building's swaying motion a full 40 to
50% under what it had originally been designed for.  ...

Peter G. Capek, IBM Research — Yorktown Heights, New York

Please report problems with the web pages to the maintainer