Subject: HBO gets Hacked:: We Interrupt This Program ... for a Viewer Protest.
From: the tty of Geoffrey S. Goodfellow <Geoff@SRI-CSL.ARPA>
To: videotech@SEISMO.CSS.GOV, telecom@XX.LCS.MIT.EDU
Cc: neumann@SRI-CSL.ARPA, shadow@AIM.RUTGERS.EDU

    NEW YORK (AP) - A video hacker calling himself ''Captain Midnight''
s to the Plains early
Sunday when he interrupted a movie on Home Box Office with a printed
message protesting HBO's scrambling of its satellite-to-earth TV
signals.
    ''It's a criminal, willful interference of a government-licensed
satellite broadcast,'' fumed David Pritchard, an HBO vice president,
who said the cable system had received sabotage threats in recent
months.
    Pritchard said HBO planned to report the incident to the Federal
Communications Commission.
    ''It's kind of like terrorism of the airwaves,'' said Greg Mahany,
who was watching in Middletown, Ohio, when the message interrupted
''The Falcon and The Snowman.''
    The message, printed in white letters on a color-bar test pattern
background, read: ''Goodevening HBO from Captain Midnight. $12.95 a
month? No way! (Showtime-Movie Channel Beware.)''
    Mahany said that at first the picture flipped back and forth between
the message and the movie, making it seem like ''HBO was trying to
get its signal back. ... It looked like a fight for control of the
microwave beam.''
    The message appeared at 12:30 a.m., Eastern time, and remained on
the air about five minutes. It was seen in the eastern two-thirds of
the nation, which accounts for more than half of HBO's 14.6 million
subscribing households.
    Pritchard said the hacker, apparently with the use of a satellite
dish and a powerful transmitter, effectively replaced HBO's signal
with his own.
    For some reason - possibly because Captain Midnight's signal was
better-timed or more powerful - HBO's satellite received the hacker's
signal instead of HBO's and beamed it down to HBO's earth relay
stations.
    Sunday's intrusion was immediately noticed at HBO's communications
center in Hauppauge, N.Y., but it was not clear whether the hacker
ended his own message or was forced off by HBO.
    Pritchard said HBO would have no comment on that. ''We have
implemented some technical remedies, and we're pursuing others,'' he
said. ''This represents a clear danger to every satellite user.''
    Pritchard said action like Sunday morning's had been threatened in
letters to HBO and in magazines read by dish owners.
     ''We'd been threatened for the last four or five months with
something like this if we didn't reconsider our plan to scramble,''
he said. ''They said they'd do something. They didn't say what.''
    The HBO cable signal is scrambled to prevent reception in homes
wired for cable television but not equipped with an HBO converter.
Until earlier this year, satellite dish owners were able to intercept
the unscrambled signal HBO bounces off satellites to the earth
stations that relay the signal via cable.
    In January, however, HBO began scrambling all its satellite-to-earth
signals. HBO told dish owners who had been watching for free they
would have to buy a descrambler for $395 and pay $12.95 a month.
    Another leading pay cable service, Showtime, announced plans for a
similar system.
    Pritchard said about 6,000 dish owners put down the cash for the
decoder and signed up for HBO or its sister service, Cinemax. But the
proposal has been unpopular with others.
    ''They say things like, 'The airwaves are free,' and 'They (HBO) are
using government satellites that our taxes pay for,''' Pritchard
said.
    Pritchard said HBO's programs are its property, and it leases space
from privately owned satellites.

Date: Sun, 27 Apr 1986  22:39 MDT
From: "Frank J. Wancho" <WANCHO@SIMTEL20.ARPA>
To:   "the tty of Geoffrey S. Goodfellow" <Geoff@SRI-CSL.ARPA>
Cc:   neumann@SRI-CSL.ARPA, [...]
Subject: HBO gets Hacked:: We Interrupt This Program ... for a Viewer Protest.

    Until earlier this year, satellite dish owners were able to
    intercept the unscrambled signal HBO bounces off satellites to the
    earth stations that relay the signal via cable.

It is interesting to note that while protective "alledgedly" and similar
words are freely sprinkled in newsprint, the writer of the above chose
"intercept" over "receive".  The word "intercept" implies "theft", a
criminal act.  That "intercept" was unmodified and not a quote implies the
allegation was accepted as fact proven in court.  Is this indeed the case,
or simply the viewpoint held by the programming services?  If the latter,
then it was inappropriate and perhaps biased to use "intercept".

Just asking...

--Frank


Date: Tue, 22 Apr 86 07:37:13 pst
From: Neumann@SRI-CSL.ARPA
Subject: Ball's contribution on Polaris and SDI (from Dave Parnas)
To: RISKS@SRI-CSL.ARPA

Dave Parnas is now on his way to Australia for almost two months, so
please don't expect him to reply.  But on his way out, he sent me this
*--*  Qmodem Capture File  06/05/86 20:27:54  *--*
justified display of civil disobedience. I live in Pittsburgh, which has a
(pathetic) cable company to which I subscribe, so I am not an aggrieved dish
owner, but I sympathize with them. Why? Because cable program providers MUST
factor in ONLY wired-in subscribers when signing contracts to buy
programming (or else they are idiots) so the fringe viewers with discs (most
often far from any cable company) have little or nothing to do with their
financial situations. HBO's decision to scramble its signal to force people
who cost HBO, or cable systems, ABSOLUTELY NOTHING to "hook up" is
ridiculous; at least disc owners should be given a hefty credit for their
investment before having to buy a descrambler and pay monthly rates. Not
being a lawyer, it also seems that scambling makes a mockery of the 1934
Communications Act, which prevents encoded transmissions over public
channels.

This sort of problem may prevent another medium -- videodiscs -- from
fulfilling their promise of providing vast aounts of cheap information.
Consider: a 12" videodisc can store up to 108,000 frames of information.
What information? In the case of NASA, lots of planetary images. In the case
of the National Gallery of Art, 1645 art works and a couple of movies. But
what if a videodisc publisher wanted to provide a comprehensive collection
of ALL major works of western art, 65 TIMES the number of art works provides
on the NGA disc. As it stands, this would be impossible because each
provider of art images would want a royalty for each disk (to pay costs,
perhaps 1 cent per work per copy. But this would mean a $10,800 royalty PER
DISC for all suppliers, which would make the disc completely unsalable,
making a comprehensive history of art expert system all but impossible to
develop because the costs could not be amortized. (If you think this is
outlandish, consider that the Metropolitan Museum in New York wanted to
charge the US Marine Corps $50 for the LOAN of a photograph of an artifact
that the Marines wanted to include in their Bicentennial exhibit in
Washington DC in 1976. The Marines, to their credit, declined to pay.)

Some new paradigm will have to be worked out before mega-media will be
acceptable both to information providers and consumers.


Date: Mon, 28 Apr 86 21:51:15 edt
From: mikemcl@nrl-csr (Mike McLaughlin)
To: risks@sri-csl.ARPA
Subject: HBO -- Hacked Briefly Overnight

Overpowering a transmitter is essentially trivial.  If HBO was scrambling
its uplink, Captain Midnight's missive must have been similarly scrambled.
Perhaps HBO's scramble algorithm is also trivial.  Of course, if the uplink
is in the clear, Captain Midnight merely needed brute force.  Anyone know
how or where the signal is scrambled?  Or whether an HBO receiver set to
unscramble will pass an in-the-clear signal?  I realize that facts may set
limits to the discussion.  Regrettable.

------------------------------

   Satellite transponders used by the cable TV industry to relay programs are
"bent pipes", that is, they simply repeat whatever they hear.  The M/A-Com
scrambler equipment is all on the ground. However, the descramblers will
switch to "pass through" mode if a nonscrambled signal is received.
Therefore, when Captain Midnite sent his unencoded signal, the descramblers
simply passed the signal straight through to the various cable systems.

The transmitter power available on a satellite is very limited (5-10 watts).
Even with a very large receiver dish, the raw carrier-to-noise ratio is far
too low for acceptable picture quality if a linear modulation scheme (such
as VSB AM, used for ordinary TV broadcasting) were used.  Therefore,
satellite TV transmissions are instead sent as wideband FM in a 40 MHz
bandwidth.  Since the baseband video signal is only 5 MHz wide, this results
in a fairly large "FM improvement ratio" and a pronounced "capture" effect.
Full receiver capture occurs at about a 10 dB S/N ratio, and this figure is
essentially the same whether the "noise" is in fact thermal noise or another
uplink signal.  So for the purposes of fully overriding another uplink your
signal must be about 10 dB stronger (10 times the power).

The latest transponders are much more sensitive than those on the earliest
C-band domestic satellites launched 12 years ago.  Most of the 6 Ghz High
Power Amplifiers (HPAs) in use at uplink stations are therefore capable of
several kilowatts of RF output, but are actually operated at only several
[Khundred watts.  So Captain Midnite could have easily captured the HBO uplink
i he had access to a "standard" uplink station (capable of several
kilowatts into a 10 meter dish) or equivalent.

I happened to turn on HBO in my Dayton, Ohio hotel room at about 1AM, half
an hour after the incident occurred, and noticed lots of "sparklies" (FM
noise) in the picture. At the time I grumbled something about having to pay
$90/night for a hotel that couldn't even keep their dish pointed at the
satellite, but I now suspect that the pirate was still on the air but that
HBO had responded by cranking up the wick on their own transmitter.  Because
they were unable to run 10 dB above the pirate's power level, they were
unable to fully recapture the transponder, hence the sparklies.  (Can anyone
else confirm seeing this, proving that my hotel wasn't in fact at fault?)

Even though each transponder has a bandwidth of 40 MHz, it is separated by
only 20 MHz from its neighbors. Alternating RF polarization is used to
reduce "crosstalk" below the FM capture level. Polarization "diversity"
isn't perfect, though, so it is possible in such a "power war" that the
adjacent transponders could be interfered with, requiring *their* uplinks
to compensate, which would in turn require *their* neighbors to do the same,
and so on.  So Captain Midnite could cause quite a bit of trouble for
all the users of the satellite, not just HBO.

Captain Midnite could have been anywhere within the Continental US, Southern
Canada, Northern Mexico, the Gulf of Mexico, etc.  In the worst case, it
could be practically impossible to locate him.  If he is caught, it will be
either because he shoots off his mouth, arouses suspicion among his
neighbors (or fellow workers, if a commercial uplink station), or transmits
something (distinctive character generator fonts, etc) that gives him away.
Only the NSA spooksats would be capable of locating him from his
transmissions alone, and I suspect even they would require much on-air time
to pinpoint the location accurately enough to begin an aerial search.

Phil Karn

------------------------------

Date:     Wed, 30 Apr 86 18:11:02 EDT
From:     Dan Franklin <dan@bbn-prophet.arpa>
To:       risks@sri-csl.arpa
Subject:  HBO hacking

Re the interception of HBO's uplink by "Captain Midnight": I understand
that the video scrambling is indeed pretty simple, consisting of reversing
black and white on some "randomly-chosen" scan lines.  It's easy to build
a box that will undo this scrambling.  The sound is much harder; it uses
DES.  In the accounts I read, Captain Midnight just put up a still video
picture with no sound, which would make sense assuming that the uplink is
encoded; he could easily encode his video but not his sound.

Nicholas Spies seems to feel that the scrambling was purely an act of
malice against individuals with dishes.  Not so; according to a recent
issue of Forbes, when HBO started scrambling, a number of CABLE TV
OPERATORS they'd never heard of signed up for the decoders!  If cable TV
operators can charge their customers for HBO, why should they get it for free?

I had some other comments about what the FCC Communications Act really
says and what "public" means, but this is getting awfully far from Risks...
"Telecom" and "poli-sci" are no doubt more appropriate.

        Dan Franklin (dan@bbn.com)

     [Thanks for the restraint.  However, the relevance of the HBO case to
      RISKS is clear.  Various risks exist -- but have been customarily
      ignored: easy free reception and spoofing without scrambling,
      video spoofing and denial of service even with scrambling.  PGN]

------------------------------
  This article was doenladed from the Unet by Dr. Strangelove.