Thoughts About Less Than Lethal Weapon

                 CONCEPTS FOR LESS THAN LETHAL WEAPONS
 
     Properly developed software implemented using RF provides a basis  for  intrusion into
communications,  computer  networks,  electronic signal feedback,  etc.   The potential of
a computer inspired corruption reverse engineered is virtually unlimited.  The use of soft
code offers a "cheap shot" effective mechanism.  At present defenders are at a loss
concerning when and if corruption is used.  We believe that  so much time  has been spent
identifying and  halting software aggression that little,  if any,  effort has been directed to
using this concept as a defensive system intrusion mechanism.

     The simplest use of corruption is in the  area of telecommunications.  In  order to
enhance the prohibition of the theft of a video signal, a soft code routine can be transmitted
which corrupts the video and/or audio micro-circuitry of a receiving device.   Sobczak has
code which manipulates the CIPHER II encryption mechanism thus allowing a less-lethal
weapon to be created. Controlling devices would  be equipped  with appropriate protection
to neutralize less-lethal attacks.
 
     The Sobczak's V-PHAGE and WATCHDOG/PARANOIA are  software filters  which
trap and stop corruption in traditional computational devices.   Normal transmission
continues unimpeded as a threat  is copied and  logged for  review and analysis. Sobczak
can build a less-lethal weapon to compromise the attacking device.  Research into the
universe  of  commercially  known  software  to  identify aggression show that emphasis
is placed upon recognition  of predefined patterns.   In the majority of cases where variants
are used, variants bypass the protection in commercial software.  Commercial  software
to protect  against aggression only identifies that  which has been located and is known.
It can be re-engineered to be a less-lethal weapon.

     Hackers exchange parts' lists and fabrication methods on RBBS.   The supposed
privacy of any transmission network is readily available to a universe of non-approved
users.  Even  the most sophisticated, potentially unattainable network is at risk (IDHS,
DEFSMAC, SACINTNET, JSANS or lower (NYSPIN)).  Our  research has validated this
occurrence.  It should be noted that an aggressor need not do physical damage to be
dangerous. 

     Sobczak has experimented with the  concept of unique destruction.  We have  found
that corrupt digital signals, copied to tape, are equally effective when transferred to
unprotected machines.  This mechanism allows an intruder to leave time bombs anywhere
with execution triggered by a designated stimulus.   It might also be real time.

     The introduction and extension from PWB (printed  wire boards)  to high-powered chips
open the  door to electro-corruption.   Computers and connectivity used to integrate
operations and controls are simple targets.  It  is imperative that we protect existing
physical resources while extending the state-of-the-art of operational equipments that, by
their nature, produce less-lethal corruption.

     Using the information available from non-traditional sources, it is  possible to create a
range of  response to any perceived electronic threat.   The  type response depends on the
time available to  interdict the threat.  In  terms of the lock-on,  where response must occur
in nanoseconds,  this methodology will have a significantly  different  structure. The
security  of electronic frequencies offers still a different methodology.  Tangent areas of
identification and disinformation combined with a directed security response offer additional
areas for  research and demonstration as system security devices.

     The universe of computer and signal corruption is new and in an  embryonic stage.
Those in authority in government  and industry  have adopted philosophies which range
from full and  total recognition  of the threat to total rejection based on the security normal
to their operations.   No existing philosophy can be said to be wrong.    The fact is that
unanticipated weapons have not been fully  researched.  The potential or lack  there of is
mixed in  horror stories that have  not been properly documented.  Sobczak has
researched micro computer, mini computer and a limited range of radio signals oriented
corruption.  We can attest  that the  threat is real.  The potential  problem for operational
units is  greater because  of the wide range of equipments open to attack.

     Computer 'hacking'  offers a  positive approach to the corruption of electronic signals
as it affects ELINT,  SIGINT,  and COMINT.   Thought should be given  to the opportunity
of RF code to infect digital signal processing during conversion to numerical form,
cataloging or in other processing activities.   The analog  data converts to digital data as
one's (1's) and zeros (0's)  to create a bit stream which is raw assembler computer code.
Admitting this possibility infers that any type  of signal collecting device can be placed at
risk.   Further,  the ability to  affect the response of an energy wave  allows distortion of the
signal returned.   This would disorient the ROB/EOB by affecting millimeter wave windows.
Successful and widespread use  of digital  processing has  resulted in  numerous examples
of A-D and D-A converter use.  Here are some examples.

     A.   Digital Control Systems -  Variables originate within a system.  They are sensed
by an analog sensor, digitized by an A-D converter, and then transmitted to a digital
processor.   If  the processor merely manipulates and  stores this information, then the
system is a simple data acquisition system.   Code sets have been constructed to shift
registers and/or corrupt data values by a binary manipulation (10's complement, etc.).  If,
on the basis of  the input information control  signals such as symbology for screen display,
determined by the processor,  are returned to the system, then a digital control system is
present.   An analog bit stream could be created to convert to digital assembler macros to
corrupt  system processes without  having  a trace of  the action taken.  This type attack
mechanism exists  today.   Sobczak created a mechanism that attacks a BIOS to either
exercise or modify commands.

     A sample of code in the form of a subroutine  to average on input voltage over X
samples compares  with  previous peaks and  stores a value which  identifies the location
of  the peak  demonstrates that knowing the  converter architecture  allows  you to predict
the voltage necessary to produce  the  result  you  wish to  obtain.  The  instruction set
would appear as it resides in unused stacks.

     A sampled technical manual describes a method of interfacing the microprocessor
using the interrupt mode of operation.   The  foregoing shows  that knowledge of  the chip
architecture allows the necessary manipulation to produce  digital machine  code needed
to introduce  a corrupt code into the ADC.   In a Teledyne System sample corruption was
hidden in  the 8080 low-order address bus,  the 8080A microprocessor and the 8228
bidirectional bus.   In the design of the 8080 vector 15 exists, but is not used.  Similarly, the
8228  has MEM-R and MEM-W unused,  both feeding the 8080A via the databus. 

     Corruption might be appended  to the 8700  ADC interrupt service by the addition of
PUSH  commands to the unused registers.   In  most microprocessor systems the data bus
is shared by many devices,  such as  memory and I/O ports.   It appears logical that once
the first premise, i.e., conversion of analog  to digital in a preconceived ordered array, is
accomplished, an aggressor is in  position  to manipulate the microprocessor.
 
     B.   Hybrid Computation Systems - Hybrid computers consist of an analog computer
and a digital computer communicating to each other through a fairly  sophisticated
interface.  This interface normally includes several A-D and D-A converters for transforming
the signals to the appropriate computer format.   While the analog computer is a
low-accuracy device,  it does permit fast parallel solution of  ordinary differential equations.
The digital computer  is  a high-accuracy serial machine with extensive logic and memory
capabilities.  Together, communicating through A-D and D-A converters,  they permit a very
efficient solution  of  certain classes  of  continuous system  optimization  and statistical
problems.  Converters used in  this application are often designed with computational
capabilities.  Thus, the converter may act as a multiplexer.   Computer software can attack
all three, i.e., analog computer,  digital computer, and converter.   The process involves
disassembly of the chip  architecture to comprehend its design.  An aggressor takes
advantages of design tradeoffs and  flaws. As an example, Sobczak determined that  an
omission (open door) in the design of a modem chip allowed unanticipated code to load,
store, and execute from the modem. To our mind the pressure of putting sophisticated
systems in place in the law enforcement  environment have  probably left  many open
doors.   In  addition to capitalizing on aggressor tradeoffs and omissions, Sobczak could
harden existing American equipments to resist aggression.

     An example of the result of the disassembly of chip architecture might be  taken from
the  assembly  code of the  VIRUS Trojan Horse program called VANNA.ARC. VANNA
is unique in  that  it  bypasses  the  operating  system and manipulates extended  BIOS
calls.  The constant shifting of clock  speeds generates  friction (heat). Depending  on the
quality of  the device attacked damage  occurs  in 30-120  seconds. Nonprofessional users
will watch the code on the screen as the destruction occurs.    Please note  that  non-turbo
devices and early  semi-DOS devices were affected.   For example,  VANNA  generates
a "WILD INTERRUPT"  message in an old USAF Z100 computer.   This is not to say that
the code could not be ported to any architecture once it is known.  The important  fact of
the  foregoing is  the ability to  overlay the  ROM  chip with code which  functions to affect
the chips' normal operations.   Code exists for RAM, video RAM, Modem or Disk Controller
Chip to be manipulated.

     C.   Communications Systems -  The advantages  of digital data transmission have
resulted in extensive use of converters as parts of telemetering and voice communications.
In  telemetering,  system analog  signals originating in  remote locations are first converted
into digital signals and then transmitted to the control station.  Remote weather and
defense related monitoring systems fall into this  category of applications.  The opportunity
for corruption includes:
     1.  Modification of binary coded characters,
     2.  Disruption/distortion of digitally generated symbology,
     3.  Transmission of corrupting code to ground site for execution during analysis,
          sorting or redistribution, and
     4.  Distortion of wave windows in the millimeter bands.
 
     D. Voice  communications systems -  are also becoming  increasingly oriented toward
digital signal processing.   Thus,  in many situations analog voice signals are being
digitized with  A-D  converters and  subsequently transmitted over  time shared channels,
with  many conversations being "simultaneously"  carried over the same channel.   Such
systems can be designed to  be flexible and can handle both speech and data at the same
time while making optimum use of the bandwidth capabilities.   AT&T has had its
microwave repeaters come under attack from sophisticated hackers.  To date,  the system
has been saved from  corruption by the combination of equipment sophistication,  cost to
duplicate that equipment, and security.  This  is not to say  that  hackers have not taken
credit for some documented problems.   This area provides a positive use of RF based
code sets to attack the attacker.  Sobczak has developed signed VIRUS which corrupts
illegal data gatherers.  We call our concept "cheap shot protection."   As previously stated,
a program can attack,  execute,  and erase, leaving no trace of the interdiction.

     There  are several VIRUS active on bulletin boards which  start as a time bomb, i.e.,
get copied to a hard drive,  file server,  or unprotected controller-type chip,  function  as
a Trojan  reproducing in  a new area  hidden so  that  the time bomb repeats  itself, poison
the operating system, and then jumps to the DEL(ete)  command and erase itself.  An
aggressor could spend  a great deal of effort protecting against himself (a Trojan/VIRUS
in his system).
 
     In summary, the major use of less-lethal will be psychological.   The attacker would be
charged with fooling the computer, thereby increasing the uncertainty of those using it.
The designer of a less-lethal weapon would decide upon the best area to affect in order
to reduce confidence.  The implanted code would modify decoded data  to affect operator
efficiency by  reducing  the detection rate of true targets, while increasing the false alarm
rate in finger printing.   Suspect equipment will cause  the redirection of technology
resources to  prove the fact of a problem.   This, in turn, will affect production, upgrades,
and maintenance.  It will cost more to produce and increase  the  resource commitment.