Once again, this is Dr. Michio Kaku for Radio WBAI, 99.5 FM on your dial, broadcasting from the Empire State Building. Good evening. This is Dr. Michio Kaku for Radio WBAI, 99.5 FM on your dial, broadcasting from the Empire WBAI is proud to present Homefront, Pacifica Radio's Town Hall Meetings, a five-part national satellite series. Tune in on Friday at 7 p.m. for Part 1, Disorder on the Border, a look at immigration in the United States from our Pacifica station, KPFT, in Houston. Disorder on the Border will look at immigration quarters, who's allowed in and who's not, and how new immigration will affect the United States job market in the next ten years, illegal immigration and border violence, and the free trade agreement's impact on Mexico and the United States. Hosted by Pacifica Radio's Larry Bensky, Disorder on the Border will feature a distinguished panel of immigration officials, activists, and journalists from around the country discussing one of the most pressing issues of the 1990s. That's Homefront, Pacifica Radio's Town Hall Meeting, Disorder on the Border, Friday, June 28th at 7 p.m., only on WBAI, 99.5 FM. And this is WBAI in New York. It's 9 o'clock, time for Off the Hook. The telephone keeps ringing, so I ripped it off the wall. I cut myself while shaving, now I can't make a call. It couldn't get much worse, but if they could they would. Bom diddly bom for the best, expect the worst. I hope that's understood. Bom diddly bom! And a very good evening to one and all. The program is Off the Hook, and this is Emanuel Goldstein, with you for the next hour, talking about high-tech and low-tech, and the risks thereof. We're going to have special guests today, some people formerly associated with the Legion of Doom. And we're going to have a special guest, and we're going to have a special guest, and we're going to have a special guest, and we're going to have a special guest, and we're going to have a special guest, and we're going to have a special guest, and we're going to have a special guest, and we're going to have a special guest. And we're going to have a special guest, and we're going to have a special guest. And we're going to have a special guest. Yes, we are all prisoners in one form or another. And here on Off the Hook, we're trying to wake you up a little bit to the things that are going on outside. And there are many exciting things happening. Just today, for instance, there were two major glitches that nobody can explain. The first one happened in Washington, D.C., affected the city of Washington, D.C., Maryland, Northern Virginia. Allegedly, a software glitch. And then on the West Coast, Pacific Bell does not understand why calls were failing all day long. And no doubt, we'll be reading things about that in tomorrow's newspapers. And there was a fiber cable cut in Annandale, Virginia. It knocked out the Associated Press' audio feed for their radio news service. But they have a backup routing system. And that backup routing system switches transmissions to a second cable if the first one fails. Awfully intelligent to have a backup. But! According to a spokesperson for the Associated Press, somehow they both ended up being hit by this incident. Here's an interesting article from the New York Times. Here's an article from the Risks Digest, comp.risks on the Internet. The final digit is a checksum, uniquely determined by the preceding digits. As it would be bad for a credit card thief to be able to trivially predict the account numbers of replacement cards, I had written this off to coincidence. This card was lost last week, and I just received the replacement. And the account number followed the same obvious pattern. It is still possible that this sequence is coincidental, but it would seem most unlikely given the number of possible account numbers. And here's something from the Dilbert comic strip on June 13th. Man talking to his dog. It's an ethical dilemma. I support my company's goal of discouraging drug use, but the random drug testing policy is a violation of my constitutional rights. I'll get fired if I refuse the test. What is the ethical thing to do? Dog to man, hack into their computer and change your boss's test results. Man using the computer and talking to dog and himself. Sometimes the straightest path is through the mud. Dog responding to man. Good. Rationalize it with an obtuse metaphor. Dog responding to man. And there are also reports about our credit, our credit files that are continuing to mount up. And just this past Saturday's New York Times, an article about credit bureaus trying to get their money back. And there are also reports about our credit files that are continuing to mount up. And just this past Saturday's New York Times, an article about credit bureaus drawing fire for misuse of data. Credit bureaus, the nation's clearinghouses for consumer credit information are under attack. Some members of Congress, consumer advocates and individuals say the credit bureaus have inaccurate data and don't keep a tight lid on their files. Others say that their information is correct, that they try to correct errors quickly and that only subscribers, primarily grantors of credit, with legitimate needs have access to files. Credit reports are vital to the functioning of the credit system, the bureaus say. One of the recurring charges is that the credit bureaus place wrong, ambiguous or outdated information in consumer files. An individual can find out what is in his or her credit file, but only on request and only for a charge. Unless your credit is denied for some reason, and then you can do it for free. But by then, of course, it may be too late. The credit controversy is something that we've talked about in weeks past and something that no doubt we'll be devoting time to in the future. And one final interesting bit here. From New York Newsday, hold the phone says Mitsubishi sues AT&T over $430,000 in calls that breached security. Yes, the busy signals must have been maddening. Three years ago, Mitsubishi International leased a device known as a private branch exchange. We call them PBXs. They leased this from AT&T, its corporate neighbor on Madison Avenue. The electronic hardware was like a private phone company. Among other things, it allowed employees away from the office to dial an access code and get onto a long-distance line at Mitsubishi. Now, at that particular moment, a lot of people get lost. They don't know what is being referred to. So we're going to do something that the newspaper articles cannot do, and that is grab a dial tone and make an outgoing call. And hopefully, if our correspondence are correct, we have correspondence in the street, literally, who are feeding us numbers. And these numbers go to what is known as PBXs or also extenders. An extender is, well, imagine if you called a telephone number, and instead of ringing a ring, you received a dial tone. And with that dial tone, you could dial anywhere in the world. Well, there's that dial tone. Let's try dialing. We'll dial five. Oops, we dialed two fives. We'll dial another five. Three fives. We'll dial four fives. One more five. It's accepted five fives. We don't know what's going to happen. Another five. All right. We've done something wrong. But we've also found out that the access code is six digits. And we can also tell what kind of a system it is by the sound of that little siren that we heard. All right. Let's try another one. And these are all 800 numbers. And yes, the record is skipping. We know that. OK, we have another one. Let's try fours. One four. Another four. Three fours. Interesting. This one is a bit more sophisticated. Let's hit a star. Pound sign. I'd have to rank this one as having fairly good security, since you don't know how many digits the code is. And that's eventually what happens. A hacker would have a tough time with that one. All right. We're going to try one or two more. And then we'll finish with the article and get on to our special Legion of Doom feature. All right. Let's try this one over here. Of course, I cannot reveal where these numbers are winding up. But this is a live demonstration. OK, there we heard the ring and we heard the dial tone. So let's hit a zero. And we got another dial tone. Hey, we've gotten someplace. Let's dial an eight now. A five. A two. A one. A six. Whoops. A six. A nine. A zero. A star and a pound sign. Well, the pound sign seems to have set it off in some way. And that apparently means something. That's what an extender is and that's what a PBX is capable of doing. And that is in a nutshell what it's all about. So last July, a number of employees started complaining that they could almost never get through. And why could they almost never get through? They would dial a number very much like the ones that we were dialing, but they would get a busy signal instead of a dial tone. Someone was getting through. People making illegitimate calls. Now, what's unusual here is that Mitsubishi is blaming AT&T for this. Mitsubishi and New York telephone technicians audited the company's long distance records in August, a month after employees started to complain and made a disquieting discovery. More than a million dial-ups in which the caller attempted to get a long distance line without the correct access code had been logged. Most of the calls were to places like Pakistan and Egypt. Apparently, employees were not involved. When Mitsubishi got its bill for the phony calls, it refused to pay AT&T, claiming that the telecommunications giant never adequately warned it about the risks of the equipment. And to drive home its point, Mitsubishi filed a lawsuit against AT&T last week that asks for more than $10 million in punitive damages and seeks to have charges dropped for the calls to Pakistan and Egypt. The Mitsubishi case filed in U.S. District Court in Manhattan is not unusual, law enforcement officials say. According to Donald Delaney, senior investigator for the New York State Police, it's a multi-million dollar business. Delaney said there is a black market for stolen access codes that enable users to dial into private branch exchanges such as Mitsubishi's. I think the point that needs to be driven home here is that these systems are extremely easy to crack. And you can very simply program a computer to one by one go through all the digits. You can get the access codes through humans that work at various companies. Sometimes they even all have the same algorithm. In other words, they all add up to the same number. So it's very easy to determine what they are. And once you get this, you have a free way of making calls all over the world. Not too nice, but it is happening every day. In a moment we'll be talking to former members of the Legion of Doom who have gone respectable. Here on Off The Hook. And then we'll be taking your phone calls at 212-279-3400. String up the horn, string up the speaker. Hometown high five, the rain is sweeter. String up the horn, bullets are flying. Runs a spin round, tummy's dying. Hey, hear me now, hear them say originality. JLP, PNB, Trump, Al-Akhbar, whether politician or star. Gunman, I run, gunman, I hide. Murder one another, them dogs to the side. Lord, ask you a question, how can it be? We have so many weapons, none of them acts repeat. Killing off your brother, drugs and money. No step on my toe, I'm a tear it through. You must go, go, go, it's like you're listening to some other community. Original style of chemistry. Rock us up and down, I'm just getting hot. Pass a salute and then fire a gunshot. String up the horn, string up the speaker. Don't feel like that, it's sound video. Hometown high five, the rain is sweeter. Check your weapon, here at the door. Nobody blood, I'm on the dance floor. Calling J.A., buy me, don't pay. A grand shot today, it's a story, so wait. Big man, cat boy, rat, the cat. Little Josie wheels and the work of a cat. Rock us up and round, bullets flying. Here we go, yeah. Here we go. Ready, ready. Tennis, I run, control, make you hurry. Let's dash far, I knock him to beat. Gunman, I run, gunman, I hide. In his own house, where he can't be tried. The question, how good is he? He has so many weapons, a little battery. Murder one another, jobs and money. No step on my door, or my territory. The men. Right. The men. Red cake, I need a sauce. Deep pot for a disco. The ladies sound today, you're the one we play. String up the horn, string up the speaker. Hometown high five, the rain is sweeter. String up the horn, bullets flying. Crane spinning round, Tommy's dying. The men. Red cake, I need a sauce. Deep pot for a disco. The ladies sound today, you're the one we play. The men. Red cake, I need a sauce. Deep pot for a disco. The ladies sound today, you're the one we play. The men. Toboggan tears, in the river drunk. Trouble on BS, every block. Some man up here, can't forget Ram. Gun ricochet, and they'll play all the time. Question of love, drugs and money. Man out of bat, with him artillery. Wind up your ears, go up your face. Go on the violin, to my disco. String up the horn, string up the speaker. Hometown high five, the rain is sweeter. String up the horn, children crying. Crane spinning round, Tommy's dying. The men. Tommy's dying. Home, my pleasure. Home, my pleasure. Red cake, I need a sauce. Deep pot for a disco. The ladies sound today, you're the one we play. Red cake, I need a sauce. Deep pot for a disco. The ladies sound today, you're the one we play. Hometown high five! Hometown high five! Red cake, I need a sauce. Deep pot for a disco. The ladies sound today, you're the one we play. Red cake, I need a sauce. Deep pot for a disco. The ladies sound today, you're the one we play. Island Records still refuses to put it out in this country. Oh well. We heard, as I said, Screaming Target, Who Killed King Tubby. The program is off the hook. This is Emanuel Goldstein with you until 10 o'clock. And yes, PBX Fraud is not the only thing we're going to be focusing upon tonight. We're also focusing upon something that is unfolding even as we speak. That's right. We've been following various stories concerning computer hackers in the past. And one of the groups whose name has been mentioned several times, rightfully, wrongfully, all kinds of ways, is the Legion of Doom. And now there's an interesting postscript to the Legion of Doom. Let's take a look at Time Magazine, June 24th. After infiltrating some of America's most sensitive computer banks, is there any challenge left for a digital desperado? Only to go legit, say three members of the notorious hacker group the Legion of Doom, who have quit the outlaw game to start ComSec data security. The Legionnaires, pardon the expression, claimed an 80% success rate in penetrating computer networks, and now they want to teach private industry to protect itself from the next generation of intruders. You can't put a price tag on the information we know, says Scott Chase and the ComSec partner. But they'll try. And we have the guys on the phone with us now. Do we have Scott Chase in there? Or is this Chris? Yeah, I'm here. Which one is this? It's both of us. Oh, it's both of you. Okay, great. Now, you have formed this new group, ComSec Data Security. Are you both former Legion of Doom members? Yeah, as a matter of fact, I was one of the original nine members when the group founded in 1984. Can you say something to people listening who might think that the Legion of Doom was sort of like Iraqi terrorists or something, the way they've been portrayed by the media? What's the facts as you know it? Well, the facts as I know it, and as I've said several times in the past, the best description that you could ever have of a Legion of Doom is a bunch of bored adolescents with too much spare time and access to computers. You know, we weren't organized crime. We weren't communist-backed miscreants. We were all normal teenagers who just happened to have an interest in computers, and it just stemmed from that. So there was never anything malicious on anyone's mind? No, no, certainly not. The intentions were always to seek knowledge. Uh-huh. Now, how would people go about seeking that knowledge? Well, by any means possible, basically. If there was a system out there that someone wanted to know about, they would usually find out everything they could about that system, whether it meant, you know, reading whatever books that were available on that particular type of system, or by going out and obtaining access to that system in one form or another. Uh-huh. Now, a year ago, things were quite different. The Legion of Doom was in a lot of newspapers, being accused of all kinds of things. Has the title, the name, has been vindicated at all? Vindicated? I don't really know if that's the word I'd use. Uh-huh. You know, there's still a stigma attached to Legion of Doom. It's not really something that a lot of people would have thought that we could cash in on to use in a positive manner, but what we're trying to do with our organization here is to turn the public sentiment around. We want to show that we've got this knowledge, and we want to use it for positive means, rather than to keep all this contained within the underground. Uh-huh. So that was our intention with forming ComSec with past members. Now, how many members are involved? Well, three of the four founding members were members of Legion of Doom, and there are three others who are also members of Legion who will be most likely joining us in a short period. Uh-huh. Have you gotten much feedback from the computer underground? See, the underground, it's funny. We expected a huge amount of flack from people in the underground. We thought everybody would think, well, LOD's sold out, and LOD's fed, and they're going to turn in everybody, because LOD's evil now, and they go against the underground. But that's not what we got. Everybody thinks it's great. Everybody seems to be behind us in this endeavor. The flack, interestingly enough, is coming from the computer security industry. For whatever reason, they don't seem to like the idea of computer hackers forming this kind of an entity. They don't want to see what they always saw as the opposition sides. Or they don't want to see their weaknesses exposed. Possibly. I can't speak for them. I can only speak on behalf of what we've seen. There's a lot of some kind of deep-rooted sentiment against us in one form or another. Without getting too specific, can you describe that a little bit in more detail? I don't want to go into the subject too detailed, because we will One of the last articles that was written about CompSec data security was in the Houston Chronicle. A trade association in California was mentioned. One of the employees of that trade association talked about our company and what they thought about it. They personally thought it was a great idea that hackers would be CompSec consultants. Who better to hire than someone that's the reason why CompSec consultants are around to keep hackers out. Back to the point, basically the industry out there, the CompSec industry, feels that they're threatened for many reasons. One of them might be because they still think of us as the enemy. This is the reason why they have jobs. This is the reason why we put money in their pockets because this is what we've done for the last 10 years. And now the tables have turned with us and they're scared. I think they're a little jealous also. We're getting all this press and possibly like you said, because we could be showing their vulnerabilities. We just got back from a hackers conference in St. Louis this past weekend. I took a poll and everyone that was there admitted to me that corporate computer security out there is a joke. I don't know what these CompSec consultants are doing now, but they're certainly not doing their jobs. Maybe that's why they're scared. You can ask any computer hacker out there in the underground and they will tell you that security is no problem. That's why we've set this ratio of 80% success rate and system penetration. If Company X wants to come in and ask us to present ourselves to them for a possible contract, we're going to get a computer out and we're going to show them their weaknesses. Out of 100 corporations, I guarantee that we'll get into 80 of them and show them their weaknesses. When you say you're able to get into 80%, are you just trying to get in through default passwords? There are any number of methods. We would take the approach in what we're calling systems penetration testing. We're going to take the approach that we know nothing about you or your company. We're going to try to get in as if we were an outsider, whether it be a hacker or whether it be a corporate spy. We're going to approach your system in that light. Use every means available to try and breach the security of your system, whether that means going in and trying standard defaults, whether that means walking into the building as a courier, whether that means jumping into the trash. We're going to show them. These are all avenues that they need to be aware of that people are going to try to get into a system. If there's a weak link in the chain anywhere, it could break. You need to have all these avenues explored. That's what we do for our external system penetration testing. Are you working with phone systems as well as computer systems? Yes, we are. There are a lot of phone systems out there that, as Chris was saying, are the weak link. They come into play. There's a collage of things that makes up tight security around the computer. If the system is hooked up to a poor phone system, that certainly could make a break in the chain. That's something we're going to focus on also. As far as the system penetration goes, we feel confident in the fact that corporate American security is a joke. A lot of people know this. That's why we feel that maybe the security industry is getting upset about this. Maybe we're going to be showing them some kind of vulnerability in themselves. They don't want their bosses to find out about us. Are there any particular kinds of systems that seem to be more open than others? Everything's got its weak points, and a lot of them share common weak points. One system that seems to be in the forefront with security flaws, mainly because it's one of the industry standards, and that's particularly what we're going to concentrate on, is any Unix-based operating system. We feel that to be our strong point, and that's the kind of systems that we're going to target. The people who operate those types of systems, those are the clients we want to target initially. Would you say there are still a lot of holes in Unix? Oh, yeah. Even the most current releases? Oh, yeah. That opens up a lot of the Internet, things all over the world. Do you hire your services out to other countries as well? Sure. Right now, we've all got valid passports, and I don't see any reason why we wouldn't be able to work overseas. When we're working off-site, it's expensive at cost. So if someone from an overseas corporation is interested, we're listed in Houston Directory Assistance. Now, let's give a hypothetical situation here. Let's say that you have been hired by a certain company or institution to keep their computer systems safe, and you notice a hacker has successfully gotten in, and you've got sort of like a Clifford Stoll situation on your hands. How would you handle it? Well, basically, with the hacker knowledge out there, and I will tell you that there are some extremely intelligent people out there that hack systems. If this were to happen to one of our client systems, we take the following procedures, contact the correct authorized people. It's really system dependent of what we do. First off, we'd like to say, because this has come up in a lot of interviews that we've done, is that we are not hacker trackers. We're not informants now. We're not going to go after hackers. But I can tell you this now. If someone does break into a system that we've secured, we will find them in two days and track them down and tell the proper authorities who they are. That's just a given. But back to the point of this scenario, if someone did break into one of our systems, I'd make it extremely hard for them to do. They must be a really motivated person because it's not going to be easy. It's just not going to be easy. Now, you mentioned tracking them down and getting the proper authorities. Don't you see that as rubbing some hackers the wrong way? No, it doesn't. We're out here now to make money. This is what we feel that we can use our talents and our skills best out. This is what we've been trained for the last 11 years to do this. If someone's going to come around and try and break into one of our clients' systems and cause us maybe to lose a contract with them, we're going to have to step in and say, we can find this person. It's just not going to be easy for them to break in, but if it does happen, we'll find them. But wouldn't they be breaking in as a result of some sort of a security hole? Possibly. That's the thing with the UNIX platform since we will be focusing on UNIX platforms for the time being. New holes are uncovered every day. New holes are uncovered and reported every single day. UNIX is a very buggy system and it's not possible. Tomorrow there could be a new hole that a hacker finds and he'll keep it to himself for a year or so until somebody else comes across it or until it's loose somewhere. These things we can't take into place. Like I said, it's system dependent, but if there will be a new hole that someone gets a hold of and allows them access to one of our systems, we're just going to have to have watchdog software out there that we're developing ourselves that will watch for intruders, that will take note. If John Doe normally logs in to his company computer at a certain time and does standard applications, then we're going to have a watchdog system that will monitor John Doe's activity. And if for some strange Wednesday night at 2am John Doe decides to log in and accesses the password file, well, it's going to take a note of that. And it's going to say, hey, system administrator, you need to check this guy out. Is he really John Doe? I see. Do you want to encourage people to try and exploit the holes so that you can find all the security holes, or are you trying to keep them from doing that? Well, you know, I'm not going to encourage someone to exploit anything and you know, do what it is that they want to do for their own personal reasons. You know, we're trying to provide a service to corporate America, both beneficial for us and beneficial to industry as a whole. You know, the actions that others might take to do for whatever reasons they have, I'm not going to say, well, I'd like to see someone break into this network so I can find out, oh, gee, there was a bug in that network. That's not a real ethical stance. I'm just a little concerned about the way this would be viewed by some people who would see you approaching this from one angle a few years ago, where you pretty much have the right to go wherever you want to go to find something. You want to get that information. When confronted with someone perhaps a little younger than you doing the exact same thing, would you treat them the same way that you yourself would have wanted to have been treated, or have you become the establishment, so to say? You know, the chance of someone younger than ourselves and less knowledgeable than ourselves or even as knowledgeable or more knowledgeable, but the fact of someone else getting into a system that we've secured, I'm going to find that real hard to believe that it's going to happen. If it does happen, I welcome it, and I'd like to have the chance to find out exactly what it is they did and how they did it, but I don't see it as happening. When we certify a system as secure, it's going to be to the point to where we could not break into it, and I think if someone from the Legion of Doom can sit and say, well, I could not get into that system, I think that would probably... But by saying that, you're also kind of maybe unintentionally issuing a challenge. No one's going to know who our clients are. That's strictly confidential information. If you were running a big Fortune 500 company, would you want the whole rest of the world to know that, well, our security was bad and we had to hire these guys? That's confidential information. No one's going to know who our clients are. No one's going to be able to say, well, gee, I'm going to hack XYZ Corporation because LOD said it's unhackable. No one's going to have that information. We're talking with Scott Chason and Chris Goggins of the ComSec Computer... Data Security? Is that the proper name? Data Security. ComSec Data Security. Former members of the Legion of Doom. We are taking listener phone calls. The telephone number is 212-279-3400. If you want to ask them a couple of questions, feel free to give us a call. 212-279-3400. The reaction, you say, has been mixed from people in the underground. How would you say the press has treated this? It's a field day, of course, because there's a lot of leeway for hype. The story for the press isn't necessarily Legion of Doom goes corporate. The press has been Legion of Doom. The company seemed to have taken a back seat. It's not quite what we envisioned, but as far as we're concerned, for any new company, any kind of advertisement, any kind of expense that you can get is good because it's free advertising. A large portion of any company's expense is going to be budgeted towards advertising. We're, in a sense, getting free advertising. Nothing's been overly negative. Everybody seems to have an open mind. Everybody's just waiting to see what we do next. I feel fairly positive about all the attention we've gotten. Let's give some of our listeners a chance to come in here. 3400 is our telephone number. Good evening. You're on the air. Good evening, everyone. It seems that you were interested in showing these people with such genius to create computers and all these various systems that you could outwit them and outdo them. In a way, that's a wonderful achievement. As long as you didn't do anything dishonest. Now that you've shown them how you can invade their territories and how inferior their thinking is, you're saying, well, why don't you pay us for our talents and utilize our talents? I myself complain about getting rid of the garbage where I work because I think of Webberman, what he did with Bob Dylan's lyrics. He showed how Dylan created and changed things and so forth. I'll hand that off to you in a way and I hope that you'll have success. However, apropos of your program, it's not just about the telephone and systems and outages and so forth, Emmanuel, that you're really driving at is this sense of if there's such a thing as privacy or anything that can be kept from other people. Perhaps there is that area and perhaps not. Perhaps we don't want to have our people in a better thinking society. Maybe it would be perfectly permissible. However, I will say this in ending and that is that not everybody that works at WBAI understands the concept of freedom of speech, which I thank you for allowing me to express. I do hope that in future programs we'll be able to explore the idea that dissent, while it differs from what people believe, nevertheless is important for the very idea Thank you very much. I wanted to ask you what do you think about if a bleaching of a darker skin too? I have a technical question. Maybe the Legion of Doom might be able to answer it. I don't know if they know anything about Microsoft Word 5.5? It's a great program, but why don't you go buy the manual? It'll teach you a lot. I have the manual. Why don't you try reading it? I am. What kind of problem are you having? We've fallen into the field of computer security, but let's see if we can fail. I'm sorry about you guys, but it's something to do with the setup program and the setup disk that you put in. And when you put it in, it asks you a list of questions. That's right. Now you're supposed to answer the questions as they come onto your terminal. Did you insert the first disk in drive A? Uh-huh. Did you run setup? I didn't do it yet, but I want to ask you if I can skip over a couple of those questions. You've got to go through the whole thing in order to fully configure it for your individual system, sir. It's easier to go follow the directions, and it'll help you out a lot more. What happens if I don't have an external screen or a printer? I can't configure anything. Are you telling us, sir, that you have a motherboard, a CPU, and a keyboard? Right. If you have no monitor, how do you expect... I have a monitor, but not an external monitor. It's asking me questions about an external monitor and a printer, of which I don't have any. No, you have no external monitor, you have no printer. And you need to tell it that in a firm tone, that you do not have these things, and then maybe it'll stop asking you those questions. I'm sorry, we're going to have to stop answering those questions now, because it doesn't really apply to this program, but maybe the program after this, the Personal Computer Show, they might have more information on that. Thanks for calling. Let's go to another call. Good evening. Go ahead. It is to you. I don't know that I misheard you when you requested these men to explain their organization. You said that hopefully people would not think that they are an Iraqi terrorist organization. Well, it was a term used in light of all the media hype that's been going on over the past year. Not in the best tradition of the Pacific. Uh-huh. Well, insert whatever nationalist group you want to put in there in its place. It's equally bad. Well, let's say Martians. It's not a terrorist organization. That's good enough. I'm sorry? You just can't say that it is not a terrorist organization without any. Okay, well, we'll just leave it at that, then. Strike Iraqi from that phrase. Or any nationality, or any religious group, or any, will be better, and will be in the better tradition of the foundation. Okay, so we will say that the Legion of Doom was not a terrorist group of any sort that represented any nationalist or territorial interest. Okay, thank you very much for pointing that out. It's good to have so many conscientious people out there. Good evening. You're on the air. Go ahead. Hello? Are you waking up? Okay, well, go back to sleep. Good evening. I have a couple of questions about building maintenance and monitoring systems. You know, controls of doors and controls of heating and all that. I do that extensively. I feel I have a good system. I can't really stay on the phone, so if you could touch on that a little bit. I don't mean directly into a mainframe. I mean into building control systems. If you could talk for a minute, it would be great. I have to hang up. Okay, I think maybe he wants to talk about some of the security problems. I don't know what the man wants. I'm a little hazy. He's asking, he builds these maintenance systems to upkeep, I guess, air conditioning and building security and stuff like that. Sir, if your systems are not tied into any phone lines and they're only accessible in-house by employees, your chances for any kind of breach of that security are slim. Unless, of course, you've got some disgruntled employee who decides the temperature ought to be 1,000 degrees. That's something your clients will have to contend with, to stay fairly safe from that. Two questions I have right off the bat. First of all, why would any system allow you to do something that's obviously unreasonable, like bring the temperature above, say, 90 degrees even, and B, what possible use is it to have a system like that available through a dial-in phone line? A lot of them are, actually. It's mainly because you can have two buildings. One with the central controller to control the heat and security, etc. And then the other one with the actual office and the personnel and the clerks that use the system. That way, it gives them some kind of remote access so they can control the temperature and everything else that corresponds with that from a remote location. All right. Let's go to another call. Our phone number is 212-279-3400. Good evening. Turn down your radio, please. Hello? Anyone there? Okay. Let's go to the next call. Good evening. Yes. I have a question for the experts. Go ahead. Okay. I just recently bought a Sharp Wizard 64K hand computer, and I have a lot of important information on it. It has password protection. How easy would it be if I lost it for somebody to get through the password? Okay. Are you trying to ask us how easy it would be for them to crack your password on your Sharp 64K handheld computer? Yes. How long is your password now, sir? Two digits. What's the maximum you can change it to? I think up to eight. That would be wide. It is. I see. You're saying they can hook up another computer to it, and it would just go through all the characters? If someone had your computer in their hand, they could probably, if they really wanted to, they'd take it apart. And if you take those computers apart, the password is in the computer, you're telling me? Yes, it is. It's in the computer, and if they really wanted to bypass it, they could, since it is handheld. And if you did lose it, there is a possibility that they could bypass it by all means. If you carry this on your person... Yes. To use a longer password. That's correct. One other question, then. You're saying that all computers in the world that there is no way that you can give a password that's not in the computer. There's no such thing. Obviously, I guess it has to be in the computer. That's correct. If you enter an invalid password, it's not going to let you onto the system. That's the whole idea of passwords. The whole idea of passwords... Hello? ...passwords, so nobody else can access their account. So if someone guesses at your password... I don't know if it's my phone line or yours, but... We're on a noisy location, so what we're going to do is disconnect you and let them finish answering the questions. Okay, I'll listen on the radio. Thank you very much. I guess he's not going to make that last point. Go ahead and finish your statement. As I was saying, if the password tries incorrect, it's not going to let them log onto the account. That's the whole password scheme. That's why passwords were invented. A two-letter password, though, would be incredibly easy to crack. It seems kind of pointless to even have one. What I would suggest to the gentleman is to try cracking it himself. Pretend that he doesn't know it, or even better still, forget your password and just try to remember it. Things like that have happened to me, too. Or, another possibility would be, what if he really did forget his password? Is there a way to contact the company and say, hey, I forgot my password. What do I do with this useless hunk of metal? And then you also have to take into consideration that if someone did find his machine and they didn't want to go to the trouble of taking it apart, if they could call the developer, whoever makes it and manufactures it, and say, hey, I lost my password, how do I get back in? Right. Okay, let's try a couple more calls in the time we have left. Good evening. Yes, is this the Off the Hook show? It is. Do you have a question? Go ahead. It's about the Unix system. Okay. Do they know the codes for the password file, how to break it and get it as root access? How do you break into a Unix system and get root access? No, no, no. Yes, it is. When you call in Unix, you know Unix, there's a password file. That's correct. Do you know the code? It's encoded the password file next to the person's name. If we know the algorithm to the DES encryption... Do you know the algorithm? Is that how you break into people's systems? No, no, no. To my knowledge, DES is un-reversible. I think maybe... It's a one-way encryption. You can't decrypt DES. I think the NSA maybe can. Maybe you should ask them. Maybe a couple Ruskies, but not in America. When you secure the system, do you change the encryption when people log in? DES is the standard encryption for the United States. We're not going to mess with that. What we will do, though, is we'll suggest a shadow password, which entails exactly what this is. It hides the password file so nobody can see the encrypted password so they can't try to encrypt and compare passwords or otherwise guess at passwords in the encrypted form. Why don't you just encrypt when the person logs in? Doesn't that make a lot more sense? It is encrypted on the system. It's not in clear text. Basically, how hackers get in is they guess at passwords. You'd have a password. Your name is John. Most Johns use the password John as their password, which is not a good password. In fact, in 2600, this issue, we published a program that looks through the dictionary. Every UNIX system has a dictionary file. If somebody uses a word that is in the dictionary and there's tens of thousands of words in there, it will find it, and it will say what the word is. It's very easy. All right, let's go on to one more call. Good evening. Hi, how are you doing? I'd like to follow up on one of Emmanuel's questions because I think the answer was a bit incomplete. In this program, one of the premises seems to have always been that information is free. Your guests seem to be taking the position that people should be punished, put in jail, their lives ruined, etc. for merely accessing information. I'd like to know in what way they reconcile this with their own earlier activities and feelings about the freedom of that information. Okay, that will have to be the final comment. Go ahead. Okay, we don't condone hacking. Information as being a free... Chris, do you want to take this one? Yeah. Basically, the guy, he's saying that perhaps we might have a hypocritical stance from our past actions. But, you know, there are times when the actions of certain hackers should be viewed in a more serious criminal manner. Someone who looks around a system with a guest account is not, in my opinion, entitled to the same kind of prosecution as someone who would physically kick down the door of a company, lock in, type on their terminal, and delete every single thing they have. Right now, under current laws, this is viewed in the same manner. I don't think it should be. And, you know, in the future, I hope that things will change. That's, you know, if someone was snooping around on our system with a guest account, we wouldn't immediately go running to the federal authorities, but there wouldn't be a guest account there to begin with. However, if someone, through some more malicious means or with more intent, broke into a system, that's the kind of person who doesn't, you know, first of all, it doesn't follow the kind of code of practice that we worked on ourselves, and it's not the kind of thing that we would ever believe in. And so, certainly, we'd see what kind of measures need to be taken against an individual like that. Folks, we are out of time. We've been speaking with Scott Chason and Chris Goggins of the ComSec Data Security, former members of the Legion of Doom, and I suppose if people want to get in touch with you, how can they do so? They can give us a call at 713-721-6500 or mail us, and we're listed. Okay. Thanks so much for being with us, and keep us updated as to what goes on in the future. Okay, well done. Thank you. And that concludes Off the Hook for this Wednesday night. We'll be back again next Wednesday at 9 o'clock. Stay tuned for the Personal Computer Show. This is Emanuel Goldstein. Take care.