"Doctor Mabuse: Hacker to the M-M-Max" by Morgan Russell in "Reality Hackers" Magazine Issue #5, 1988 Chicago, November 22, 1987 9 P.M. Viewers tune into WGN TV's Nightly News for the accustomed broadcast reports from the world-at-large. A mysterious TV pirate is, at the same time, aiming a microwave antenna at WGN's STL (Studio to Transmitter Link) preparing to overpower the station's signal. 9:14 P.M. Sports anchor Dan Roan is interrupted in mid-report by the f-f-f-figure of Max Headroom who remains on-air for 25 seconds before WGN switches to its backup STL frequency. 11:10 The pirate overpowers WTTW TV's signal going to their STL on the Sears Tower. For one minute twwenty-eight seconds Max broadcasts his message over one of the largest population centers in the United States, including comments about a WGN radio and TV sports announcer, and displaying someone's bare ass being hit with a fly swatter. WTTW loses control of its transmitter entirely and is powerless to shut it down. Berkeley, March 31: Phone conversation between Morgan Russell and famed hacker/cracker "Deep Tokes": Morgan Russell: "What do you think of the comments in Television Broadcast (leading broadcast journal) that 'millions of Americans who rely solely on TV for news and information might be easy prey for manipulation,' that it's 'a potential threat to national security,' and that 'our very society would be disrupted?...'" Mystery Caller: "I'd say stations should just belly up to the bar and ordetr some fiber-optic cable for security and get reasonable bandwidth into the bargain," says an adenoid-afflicted voice not belonging to my interlocutor. "Someone there with you, Deep Tokes?" "So sorry to break in, but your line was busy and my time here is short. i don't access REMOB (remote observation) unless I'm pressed for time." "Uh, Morgan," Deep Tokes interjects nervously, "I've got ta workout scheduled. Gotta go." Click. "Didn't mean to break anything up..." the interloper drawls. "Who is this?" "Let's just say an 'Interested Observer.' Your newsletter is amusing, but it's a bit wimpy in the data department. you need a little hard data... a technological hormone injection..." I break into the Interested Observer's languid simpering air, "we'll see who needs a hormone injection." "Temper, temper, dearie. Listen, we must do lunch. If you want to know about Max, I'm the one to talk to." "Well,..." I hesitate. "Meet me at the Durant at one. I'll be wearing a green carnation." * * * * * "You seem to know who I am, but what should I call you?" "You can call me..." he muses thoughtfully while surveying the wine list with thinly veiled disdain, "ah, yes... why not simply call me Doktor Mabuse." "Tell me, Doktor, how does a TV pirate like the Max Headroom clone take over a station?" "Very simply. Max Headclone isn't a model pirate, though. Certainly he's an RF technician, possibly on the payroll of a fiber-optic company trying to drum up business, but his job was amateurish in certain respects: his broadcast on WGN had no sound because he wasn't using the proper audio subcarrier; he wasn't able to switch STL frequencies when WGN did twenty-five seconds into the broadcast; and his broadcast on WTTW was so brief that a viewer who went to the bathroom or the fridge for an instant would have missed his slot entirely. If it's not listed in TV Guide, it has to be long enough to attack people who are channel-switching. And there's no indication that he knew the remote-control protocol to take complete control of the transmitter." "Well, how would a savvier pirate do it?" "This is what I'd tell her: Catch the sign-off of the desired station. They're always bragging how tall their transmitter is on the *tallest* building or the *highest* peak, and they give their studio location so you can contact them about it, so she'll merely need to find a hotel in between these two sites in the cone of reception of the transmitter antenna. She can obtain frequency information from her friendly neighborhood FCC field office or gather complete information by putting a spectrum-analyzer in the line of the signal and looking closely at what's being sent out, de-modulating it, and doing another spectrum- analysis of that to determine the base-band. "Spectrum-analysis?" "A spectrum-analyser is a very fancy CRT display which costs five-to-twenty thousand dollars. Five hundred to two thousand dollars to rent one for a month. Generally speaking, a monthly rental on any of this equipment is about a tenth the purchase price. But I digress. Some have digital displays and all manner of bells and whistles. Hwelett-Packard makes a particularly fine one. Simpler spectrum-analyzers are in the two-to-five thousand dollar range. The spectrum analyzer can be used as a frequency measuring device with accuracy down to a megahertz or so, which is probably close enough. "A normal Beta or VHS jitters too much to be acceptable for broadcast. It may prevent operation of the STL if the STL is equipped with a mechanism which shuts itself down in the absence of a stable signal. Super VHS with a time-base corrector would yield broadcastable quuality. Some transmitters, however, are equipped with a time-base correector, in which case she can send any kind of signal. The audio requires seventy-five microseconds pre-emphasis to shape the frequency response of the base-band." "Our pirate can derive the remote-control protocol by first determining the brand of STL the stat ion uses. TV stations alow the public to view their facilities at least once a year when they have open-houses. She can note the brand they use, for example, Mosely. She could also just call the station and ask for the Chief Engineer. These techie-types just love to discuss what they do and are usually most willing to give a run-down of their equipment to anyone who's interested and sounds halfway plausible. Anyone in college with a class assignment, for example. She might also go to the NAB (National Association of Broadcasters) convention - there's one coming up soon in Vegas. She could strike up a conversaqtion at an STL manufacturer's booth and learn what format they use and obtain a list of stations hwich use their equipment. The technical or service manuals will indicate what frequencies subcarrier generators operate at, what the deviation is, and what the level on the composite is. She might also analyze what's on the control-channel, though they use very high-speed signals which can be tricky to follow. "The station may have a Telco link controlling the transmitter. This is a much more secure arrangement. If our pirate can obtain the access and control codes, she can turn the transmitter on and off, raise and lower its power, hear sounds around the transmitter site, and get reeadings through a speech synthesizer of the plate-current, output power, and plate voltage, all with a touch-tone phone. She could, of course, just turn the transmitter off and leave her phone of fthe hook to wipe out transmission entirely until someone drives to the transmitter site and physically turns it back on. "Scanning the code is difficult. it has eight digits with twelve possibilities for each and unsuccessful tries at the code are noted. "She needs a stable oscillator that can be frequency-modulated with sevearl signals at once: the composite video (video and color information), the sound information, and special sub-carriers to active the STL. She can use a VCO (Voltage-Controlled Oscillator), or something which can be modulated like one, as the basic source of the signal. A Gunn-oscillator unit, like an Avantek, would operate the proper frequency band. The voltage-control input allows her to frequency-modulate. She applies the voltage stated on the unit, for instance, eight-and-a-half volts. It takes about an amp to start and puts out approximately ten milliwatts. An attentuator must be put between the VCO and the power amplifier to keep the signal from overloading the amplifier. It should be adjustable so she can give it just enough power to do the job. She should use attentuator-pads with her power meter. The power heads can only take one hundred milliwatts and she'd want to measure up to ten watts. "The Gunn oscillator has a fairly thick screw which alters the volume of the cavity ito which it moves, thereby altering the frequency. Many have a little varactor diode which is a Voltage Variable Capacitor Diode with a little loop of wire attached. Varyig the voltrage across this diode varies the frequency only slightly, but enough to modulate it. "The 20dB directional coupler I show could just as well be a 30 dB unit if the counter is sensitive enough. This is the tap-off off the oscillator to monitor the frequency," Herr Doktor indicates with a golden nib. "The frequency counter or the frequency measuring device must have a constant level. "A microwave frequency counter is a device that can actually count and measure the frereequency coming out of the antenna, the VCO, or the amplifier. She can use the counter to adjust the input of the VCO. It acts as a digital AFC which holds the frequency on. A microwave frequency counter costs about five thousand dollars, but there are enough around so one could probably be borrowed for the night. Cheaper frequency-control methods could also be used. A ten-foot length of coax with a line-stretcher, and an R.F. mixer would form a fairly good discriminator or FM detector and is tunable. It would be a multiple-wavelength piece that would go through a zero-point twice every hundred megahertz. She'd adjust the length with a line-stretcher to get on the right zero-point. Other ways of stabilizing it are static-locking or phase-locking it with a crystal, then a frequency multiplier having an output that is filtered for the desired frequency, comparing the two frequencies and keeping them close. If the device is stable enough, she might be able to use it "as is" for a quickie. It wouldn't drift much in a couple of minutes." "How could she avoid getting cut off the air if the station switches its STL frequency on her?" "Most TV stations have at least two STL frequencies and can switch from one to another. I've diagrammed a set-up here with a frequency counter and D/A (Digital-to-analog) converter with offset. The D/A with offset takes the number from the frequency counter and converts it to analog for the frequency control loop. She could have a digital control here and set the frequency she wants. This counter could be locked-onto and would then automatically pull the oscillator into the right frequency. If the staton flipped to another frequency on the same band, her broadcast would simply flip frequencies syncrhonously. If the alternate frequency were on another band, she'd need an additional frequency control loop to have the capacity to flip frequencies along with the TV station. "A travelling-wave tube is probably the most available RF Amplifier, but GaAs FET (Gallium Arsenide Field Effect Transistor) - type amplifiers may also be available. It would have to be a clean amlifier, preferably linear, so the output power is readily adjustable. She'd select the power capability of the amplifier depending on the type of antenna used and the distance from the transmitter. She needs only twice the paltry amount of power the studio puts out. In the typical set-up, the station sends half-a-watt into a four-foot dish. If she's halfway between the station and the transmitter, a quarter-watt would overpower the signal. Every time she halvs the distance to the transmitter, she needs only a quarter the power. If she overloads the STL receiver, however, the transmission quality is degraded or the receiver shuts down. STLs are as finicky about a signal as pampered Persians are about a proffered hors d'oeuvre. "Finally, our pirate needs to tune her antenna by taking a reflected-power reading. Ideally she'd want a hundredth part of the power returning. That would be a good match. Once she's tuned it she can then just monitor the forward power as she broadcasts. "A satellite uplink is very much the same basic idea as this set-up except the power-end of it is much greater. One would want to be able to vary one's power from fifty to five hundreed watts into a twenty-four foot dish. A large dish is highly detectable, but if twenty people banded together, each with her backyard dish and a ten-watt amplifier sending frequencies precisely locked to come into phase at the same satellite, the regular satellite uplink would be overridden and there would be no good way to determine where the signal was coming from. The technical expertise required is considerable, but don't underestimate the ingenuity and rebellious spirit of all the independent cusses who bought satellite dishes, some at very great expense, to receive all the satellite signals, only to have some of them scrambled in an attempt by the broadcaster to sell descramblers and charge monthly fees for the dubious privilage of watching TV." :-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-::-:-:-:-:-: The Convent Textfiles BBS 619-475-6187 10 megs 300/1200 baud password: PHOENIX :-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-::-:-:-:-:-: