The militarists of Berlin and Tokyo started this war, but the massed, angered forces of common humanity will finish it. Twin Rain, the Pacific War, 1897-1945. On Weaponry, every Tuesday night in November and December, you'll hear a series of programs documenting the road to Pearl Harbor. Weaponry, Tuesday nights at 1.30. Third Rail, the magazine of Asian and Pacific Islander news and views, this month listens in on videomaker Richard Fung and cultural critic Bell Hooks. Join us on December 13th at 1.30 p.m. as they discuss the changing issues of race, sex and class in the Americas. That's Third Rail on Friday, December 13th at 1.30 p.m. Only on listener-supported radio, WBAI 99.5 FM. And it's just about three minutes after nine o'clock. Time once again for the weekly program, Off the Hook. Off the Hook, off the hook, off the hook, off the hook, off the hook, off the hook, off the hook. And a very good evening to one and all. The program is Off the Hook. We talk about technology, we talk about individual privacy, liberty, and what things are going to be like in the 1990s and into the 21st century. This is Emanuel Goldstein with you until 10 o'clock and inviting your phone calls as always. We have with us tonight author Wynne Schwartau who is speaking to us from his home in Tennessee. And Wynne is the author of the novel Terminal Compromise. Wynne, are you there? I am. How are you? Oh, I'm pretty good. A bit hectic tonight. We just got the latest issue of the magazine out on the press. I'm waiting for it. Yeah. Well, I'm waiting for it too, actually, to get back from the printer. But as soon as it does, it's going right out to all the subscribers out there and news stands and things like that. And it's going to be a rather controversial issue, but then again, they always are. You're not a stranger to controversy, are you? I am in the midst of it right now in a lot of areas. Tell us something about your book, Terminal Compromise. Well, Terminal Compromise is a novel, it's a fact-based novel, and it involves a fictionalized but very plausible attack upon the United States. Instead of using guns and bullets and bombs, it uses computers and computer technology and attacks the computers in our communication systems. And it's an example of what can happen if we continue along the current path we're on, which is basically going unprotected. Now, when you say going unprotected, what do you see as the danger signs? Well, that's kind of two questions. Unprotected means that over 95% of the computer and communication systems in the United States currently have little or no effective protection against any sort of, whether it's sabotage, invasion, or eavesdropping. There is very, very little protection in any of our systems. And when we look at more than 50% of the GNP of this country, which is over almost $6 trillion, is based upon the proper and continued functioning of our computers and communication systems, that's a big hole in our economic and potentially political national security. You say that there's no protection, what exactly do you mean? Well, for example, we look at the various types of threats that exist to computers. They range from as simple as viruses to network eavesdropping or invasion of networks, communications compromised by illegal dialing up, if you will, hacking, whether it's for casual intellectual applications or for various types of espionage. Then we've got electromagnetic eavesdropping, which is listening in on computers as they broadcast their information into the air or onto the power lines. We have keyboard interception. We have HEERF guns, which are magnetic guns which can shut down networks or computers. And ultimately we have empty bombs and high-power microwave devices, which would be used for a larger-scale type of computer warfare. Now is anybody using these devices now? They all exist in one form or another, and the majority of them, with the exception of the empty bombs, are available from either catalogs or off-the-shelf hardware from a number of manufacturers. There's nothing very unique about any of these devices. Now you mentioned HEERF gun. What's a HEERF gun? A HEERF gun is a high-energy radio frequency transmitter, very simply, except that it is designed to be portable, perhaps into a briefcase, or larger models would fit into a car or a van. And they target other communications or computer systems with a high-energy pulse of magnetic energy. And that energy field would be of sufficient intensity and frequency to disrupt the proper operations of the communications system, or the computer, or the network, and force it to crash. Now that in itself may not sound too bad, but if you think that if the right person, one of the bad guys, was targeting an enemy, a competitor, somebody else that he may not want to be able to use their computers, if he shut them down in this method every hour, every hour, every hour, every hour, for days on end, the company that relies, the organization that relies upon those computers is going to find it very, very difficult to continue business. And we're finding that a lot more of these types of crimes, shall we say, are actually being done by a variety of different groups, certainly throughout the United States, and we have a number of cases identified in Europe as well. Can you cite some specifics on that? In most cases I'm not allowed to give away the actual company names themselves for security reasons. I'm more interested in what kind of people are actually doing this kind of thing. In the UK, for example, in Northern California, there's a lot of high-tech electronic companies, chemical companies, research companies. One of those companies that we all know the name of very, very well has been under intensive surveillance, electromagnetic surveillance, by the Japanese for the last couple, three years. As a result of that, that company has invested several million dollars to properly shield their facilities from people listening in to their computer activities, and in this case it is a design firm that has very, very proprietary technology, and it was their R&D facilities. We know for a fact that the French have been operating a very, very heavy industrial espionage program against the United States at least since 1980, 81, and it's probably still underway, and this has been finally exposed in the last six months. We know for a fact that a company, well, an organization in Europe, attempted to affect a $5.1 billion transfer out from a California bank, which would have drained it of every one of its assets. If it weren't for an error in the calculation of the amount of available assets, the Swift Clearinghouse out of D.C. would have let those funds transfer into a repository in Europe and the money in that bank would have ceased to exist. These are the kind of things that we're seeing. We're seeing ATM machines under increasing attack using more advanced type of technology. We know that the military has been involved in this kind of research and has been using these types of weapons. The Army has a weapon system called HERO, and it is a higher energy radio ordnance program where you lob in essentially a magnetic bomb to disable the enemies of electronic fuse assemblies on explosive types of devices, so this technology is available and it is being used. How about the monitoring devices to spy on CRT's computer screens? All right, let's go back to a very basic fundamental premise. All electric currents induce a magnetic field, and in a computer we have a lot of electrical currents running around, the strongest of which is emanating from the keyboard, because the keyboard cable acts as an antenna, and from the CRT, the video circuits, and they broadcast very, very loud magnetic fields. It's as though all of our computer equipment were miniature radio transmitters. For those of us that were around 10, 12 years ago in this field, we recall the early Trash 80, Radio Shack computers and Commodore computers were radiating into our television sets, and when we turned the computer off, it went away, and then the FCC rulings came along to lower the emissions. However, that data is not totally suppressed. It is broadcast into the air, and I am currently showing demonstrations using an old black and white television set and a set of rabbit ear antennas from a garage sale on how simple it is to listen in on that information. You can also listen in on other computers by tapping onto the power lines where all the same data is conducted throughout a building, down the streets, depending upon what type of transformers they have in the line. The third place it radiates is into sprinkler systems, water pipes, sewer pipes, and all of the same computer data is available in all of these sources. The reason we use an old black and white TV is to show how simple the technology is. If you're really in that business, however, you're going to go out and acquire the correct equipment where you can listen in from up to a mile, mile and a half fairly effectively, store that information on videotape, and then do the video reconstruction and the cleaning up of the signal at your leisure at another time. Is there any kind of, in your opinion, protection people can take using personal computers? Say, would a laptop be more secure? Well, a laptop broadcasts just as well. We were very surprised at that. They are using higher voltages in a number of cases in some of the ultra-luminescent screens, and they broadcast. They're just screamers. But even the LCD devices do put out a fair amount of signal, and we have been very successful in picking up laptop computers, especially at trade shows where we demonstrate this. Where is the signal being broadcast on those? It's being broadcast in the same way, and it's coming from the video circuitry. I see. Now, the average computer owner, what is he to do when faced with something like this? Well, he has to decide, number one, if he cares. Do you care that any of the information on your computer system may be very, very easily detected by anybody? And currently, there's no laws against this, so people need to at least be aware that they are broadcasting everything that they think is private. If you determine that you do care and that you don't want to do that, there's essentially two routes. One is called zoning control, which means placing your computer in a place within the building such that there's enough effective shielding just from the construction of the building itself to block out anybody trying to listen in. And this is an art more than a science in that particular area, but you certainly can help it along a little bit. It's much like what they do in the Pentagon. There's the five rings of the Pentagon. In the inner ring, they don't worry quite as much because of all the insulation from the outer rings of the building into the center. Those computers that are used on the outer ring are much more susceptible to eavesdropping, and therefore, they would perhaps put more protection into those. Same thing applies in an office building or in an individual's home. If, however, you don't feel that that's appropriate or you can't do it, there are shielded computers, computers that are now coming on the market, which do shield the computer sufficiently from broadcasting. I see. Now, if the whole industry were to start over, what would you have them do differently? For it to start all over again? Yeah. Obviously, you're saying that they didn't take enough precautions. Well, what could have been done better? Well, we have a sociological problem there in that I don't think anybody believed in 1980 or 81 what 1991 would look like in terms of 100 million computer terminals sitting out there. So, I think it was very difficult to predict, but certainly three or four years ago, we had the means and the knowledge to say, hey, this is getting out of hand. Let's do something about it. There are two basic things that I certainly would have done and I've been working on for a number of years. Build an existing architecture, security architecture, and there's many out there, that has been approved by whether it's the proper government agencies or civilian agencies, and build those types of protection mechanisms directly into the computers themselves. You can also develop secure operating systems. At this point, Microsoft has shown virtually no interest in doing it whatsoever. Social research is coming on with bits and pieces, and Novell will be introducing the first secure network operating system at the end of 1992, so we're about four years late in that particular area, but it could have been done early on. Number two, the FCC shielding efforts that everybody fought with as manufacturers back in the early 1980s could have been made sufficiently more stringent to avoid the majority of the problem, except for the very, very high-end sophisticated eavesdropping devices. In additional cost factor, which people worry about, if the security had been put into each CPU and each computer starting several years ago in the quantities that we're talking about in manufacturing now, it would perhaps add another $25 or $30 to the cost of each machine. For shielding of the machines in the volumes that the industry currently builds, we'd be looking at between $50 and $75 increase in cost. It's minimal. Now, for those people that don't have computers, is your concern spread to telephones, say? Well, telephones obviously have very, very little security. There's certainly no encryption on them whatsoever. Currently, there are some devices coming out in the next few months that will affect that for the average man on the street or the average business. But telephones can be listened into by virtually anybody, whether it's somebody that knows how to get into the telephone switching networks, reprogram and put a tap on them. There's a number of ways to do that. The government can certainly do it, and we know for a fact that virtually every call that is made in the United States, including those calls that one makes to an 800 number, are logged, are tracked, and certainly the ability to listen in on them is there. There's been sufficient evidence in the last 40 years that this has been a regular practice, certainly done by our government. Do you find a lot of people share your concern? A lot of people are beginning to finally realize that while I am speaking about extreme situations in order to make it a little bit more dramatic and catch their attention, that yes, some of them say I'm taking it a bit far, and perhaps I am, but the possibility is certainly there. So we are getting the attention. We have been able to get the ear of Congress. We've been doing congressional testimony. A lot of major magazines are getting involved in the story right now as to how bad the situation can get, and when we talk about a potential electronic Pearl Harbor, I think we have an opportunity now, a breathing space, a window, if you will, to really begin a program of properly defining what is information, deciding who owns information, and affecting the proper privacy methods, and if we do that, we'll automatically get the security that we require. How do you look on computer hackers in light of all this? Are they a threat, or are they just a natural circumstance? Well, there's two breeds of hackers from the... Well, actually, there's three breeds if you want to take into account the professionals. One group is the professional hacker, those that work for either foreign governments, domestic governments, or corporations, and use the hacking techniques as a form of espionage or competitive research, investigation, if you will. Within the conventional hacking community, there's two breeds I've noticed. One is the person who's doing it for the intellectual curiosity, exploring the limits of the system and what have you. The second has been emerging over the last couple, three years, which is a hacker who is more intent on leaving a mark, and unfortunately, that mark tends to be negative, whether it is the destruction of data, the theft of programs or data, somehow interfering with the target of his attacks. I don't think that hackers have been getting a fair play by and large, and the one thing that I can say certainly in their favor, if it weren't for them, I don't think that we would be as forewarned as we are right now as to how bad the situation can get, and once again, I think this has helped create some of the breathing room. Are you aware, though, of any cases of those hackers you mentioned that leave their mark, do negative things? Oh, I'm aware of a great many of them through a lot of the criminal prosecutions that are occurring around the country, or those cases where arrests have been made and prosecution has been hindered for any of a number of reasons. There's a lot of cases going on. The current estimates that are coming through is that this year there will be 22 cases successfully prosecuted with some sort of a penalty imposed upon the perpetrators. The FBI extrapolates those numbers out about how many they know about, how many they can arrest, etc., etc., and when you blow the numbers up, it looks like in 1991 there will have been over one million computer crimes committed. But by computer crimes, I'm referring to things where there's actual damage of some sort, and that's something that to this day I really have not seen a significant number of. Well, an awful lot of it you just don't even hear about. For example, I had a meeting, it was off the record, with a bank, it was in Atlanta, Georgia, and we got to talking and I said, have you ever been hit? And they said, we were hit recently for almost a million dollars. Was it by a former employee? It was from an insider job, somebody who had left the company and then been able to get back into the system. Right, now that's what I always find to be the case, that if it's an employee or somebody that is connected to the company in some way, obviously they're going to have ulterior motives and a much better method of carrying out those ulterior motives. What I'm referring to, though, are young hackers, people who are exploring systems for perhaps the first time, and then get government agents kicking in their door and taking all their equipment. In most of those cases that I see, there is no damage that has been done, except of course after they kick in the door and all that kind of thing. I don't know of any hacker cases where these kids are going out there destroying systems. It seems to me if they did, it would be... Well, once again, we're into the numbers game here. And in this particular case, I just want to step back to it, the bank in no way, shape or form, wants any publicity about it. So what we're finding is that the crimes, much like rape, are not being reported officially. So the numbers in the cases are very, very few and far between that we're able to take a hard look at, and whether they're even prosecutable, because the proof, once again, the burden of proof is on the prosecution to say that, okay, XYZ kid, if you will, broke in here and did something wrong. The second problem, from a legal standpoint, is the domain, the jurisdiction, who has control. And there is a huge conflict right now going on within the criminal system because of that. And these are all poor pieces of the reasons why we're not hearing about it more. The number of cases that I said that are going to reach successful prosecution in this year are estimated at only 22. And that's not a lot to deal with. That's not a big sample. That's a nationwide figure. Nationwide figure. Do you sense that law enforcement has a working understanding of the technology they're dealing with? Bits and pieces of them have some understanding. The Justice Department has created a task force, and they will be attempting to do more of, well, they're doing research into it, and they would obviously like to catch more people that are doing really illegal things. The FBI has a group that is operating fairly secretively. They won't talk too much about it. The Secret Service obviously has a group. We've seen enough of what they've been doing. I guess it was down in Arizona that they had their fun one day. And then the Treasury Department has one as well. On a local level, I think the United States is fairly well behind what is going on in other countries where there are specifically computer fraud divisions of many major metropolitan police departments. Here in the United States, we're seeing bits and pieces of people that have some amount of knowledge, but not a whole lot. Is it not possible to say that existing laws could be enough to cover computer crimes? Not at all. Why is that? Well, a classic example is a case that was attempted to be prosecuted by the Justice Department several months back, and the perpetrators went in, stole some software, some source code from somebody else, from another company. They were caught. They were prosecuted under U.S. Code 2134, which is the Interstate Transport of Goods, designed back in the 1930s to prosecute people who stole cars so the FBI could get involved. When these cases have been tried, it turns out that between the main court hearing and ultimately those cases that are brought to appeal, there is a 50-50 split in the judiciary as to whether information, data that is moving along wires, constitutes goods. And so, without a full understanding of what I said earlier, what is information, how do we define information, and how do we deal with it, the current laws are definitely inadequate. Information is different things to different people. You said that the source code was stolen, but it was probably simply copied, it wasn't taken. That's correct. An understanding. Now, we have the case, I don't know if you're familiar with the case of Shadowhawk in Chicago, who was a kid that downloaded some AT&T proprietary software that was sitting wide open on a computer system. And what AT&T was able to succeed in doing was convincing a judge that he had stolen something worth a million dollars, and hence the kid went to jail for almost a year. It's precisely that kind of thing that I'm very wary about when people say that, you know, this information is property. It is to a degree, but if you treat it in exactly the same form, obviously there's going to be miscarriages of justice. Well, certainly, you know, that brings up what this whole debate is hopefully going to be about that we're trying to get started, is to come up with a coherent, common sense standard by which everybody can relate to information, and the ownership of information. So that it can make, we can get rid of a lot of the gray areas that currently exist and turn it into more of a black and white area. And then there needs to be a consensus, and unfortunately the discussion has not really begun because without a fundamental understanding of what we're dealing with to create laws, we're going to be creating them into a void. Now you've talked to Congress. What's the mood on Capitol Hill? Once again, like it is throughout the country, it's very, very split. The committees that I dealt with, there was a very high degree of interest, and I was very astounded that the congressman, especially even the chairman of that committee, was as knowledgeable as he was about the issues. Now, they weren't all like that, but I was very impressed that there were a level of understanding. Then again, we have another case with Senator Gore, who just had his highway put through and has neglected any form of consideration for security when we're talking about tying together virtually all of the nation's major computers and replacing internet with a one gigabit superhighway, yet they have not dealt with a security issue, even though we've been through on internet already. So it's split like it is everywhere else. Ultimately, though, I think that there is a general malaise about it. I see. We're talking with Wynn Schwartau, author in Memphis, is it? I'm sorry? Are you in Memphis? No, I'm in Nashville. Nashville, Tennessee, author of Terminal Compromise. We'll be taking phone calls. If you have any particular questions, give us a call now, 212-279-3400 here at WBAI New York. The program is Off the Hook, and we'll be on until 10 o'clock. Tell us, Wynn, what is your perception of the Dutch hackers? Are they a massive threat to world security, or are they just a bunch of kids having fun and being a bit rambunctious? I don't know who they are specifically. I've seen the bits on TV about them. I've heard some stories about them. I don't think whether one small group like that is really the danger. I think that they epitomize and highlight what a real danger really potentially is. I find it difficult to criticize hackers just for exploring systems. Of course, there's a right and there's a wrong and what have you, but I don't think that's really the issue that I'm addressing. If a group of hackers, like the Dutch hackers, are able to penetrate the systems that they can penetrate and have demonstrably done so far, that our enemies, people that are really out there that don't like us, the United States or a portion of the United States or any of the radical groups, they have the same capabilities and may not be so nice about it. I think you and I say the same thing as far as that goes. My question, though, is what should be done with those people when they are caught getting into those systems? Should they be asked how they did it or should they be punished as if they were one of those enemies? I don't think we have the means right now to really define a lot of the crimes. The closest that I've seen to a definition are some of the laws in England, where it very specifically says, thou shalt not enter into anybody else's computer. There are some very clear definitions of what is right and what is wrong. We don't have those here yet. We're prosecuting in gray areas. We're prosecuting in almost capricious types of matters, saying, let's try this law. Let's try this one. Let's try this one and piece together something. I think in some cases, the people that have entered systems have done some things that are wrong and probably should not be in there. On the other hand, some of the exploratory stuff that has been done, which is harmless, elucidates a concern, but it's difficult to try and prosecute a bunch of 16-year-olds for expanding their mind. I think we're into a moral and a legal conundrum until we straighten that mess out. I think what a lot of people are losing sight of is that these 16-year-olds exploring systems are basically doing the same thing 16-year-olds have been doing for a long time, which is exploring and not obeying all the rules. Of course, when something like that happens, you want to deal with it somehow, but if you deal with it in the way that I see some people wanting to deal with it here, actually sending people to prison for long periods of time just for being where they're not supposed to be, obviously, we don't really have a grip on that technology if that's the way we feel we have to deal with it. I certainly don't feel that sending, whether it's a 16-year-old or a 22-year-old college student who's hacked into a system and not done any real damage, or he was on an exploratory mission, I certainly don't see the point in sending him to a prison for any number of years or any time period, because, well, the prison system is its own discussion, but they are not even what one would consider a white-collar criminal. It's an entirely different realm. In conversations with some people, I've even suggested that we have a parallel court system with an alternate set of guidelines for punishment that deal with information crime. The likelihood of that occurring, I realize, is very, very low, but we certainly need to look at it with a different viewpoint than somebody that is an armed robber who may have the adjoining cell to somebody that knew how to use a computer. I don't think that, in that case, the punishment fits the crime. We're going to go to the phones right after this. There was a case recently, I recall, where a hacker was convicted, and one of the terms of his punishment was that he had to, or perhaps this was something that the company was asking for, I'm not 100% certain if they got it, but they wanted to be paid tens of thousands of dollars, the cost of implementing a security program, as if this hacker breaking in was the reason they needed a security program, which they should have had in the beginning. Do you agree with that? I don't know that case. It's difficult to comment without knowing any specifics. I'm sorry, I can't on that one. Okay, let's go to the phones. Good evening, you're on the air. Yes. Trying... Once you get into a position where a nation is giving, or trying to appear benevolent to its allies, say, and you get into the position of avoiding terrorist activities, it's very It's often like trying to explain the Iliad to the Flintstones. It doesn't often come across in the manner that was intended in the first place. Well, could you perhaps focus that a little bit into the discussion here? Is there a question? Yeah, is there a question here? Not really. Okay. Well, thanks very much for sharing that with us. Good evening, you're on the air. Okay. Is it true that a cradled phone can be used as a listening device? Hmm. I read this in Phil Agee's book. I know, I know. By the company. Perhaps for the rest of our listeners, if you could explain what that is. Yeah, what he's asking is, can a phone that you have just sitting in your home or your office, that is on the hook, does that phone, can that phone still be tapped and perhaps listen in to what is going on in the room? We're talking about the old Infinity transmitter here. And there's one major thing that you need to find out about a particular phone system. Is there a hard relay contact disconnect? If the relay actually disconnects the red-green connections from the receiver to the lines, then no, it cannot be done. If, however, as is much more popular nowadays with the newer phone systems, that there is only an electronic switching between them, yes, it is possible. One thing to keep in mind is that back when the government's Tempest program was first put into effect in the mid-70s for military and national security-oriented computers, one of the specifications was to keep computer terminals at some distance away from all telephones for the reason that enough of the information that is broadcast from the computer actually went down the telephone wires and was potentially detectable as well. So, yes, depending upon the type of switching mechanisms you have, yes, it is possible. Any phone can be a bug? I'm sorry? Any phone can potentially be a bug? Not any phone. There's a technical caveat in there as to what type of switching mechanism it has, whether there's a hard disconnect on the red-green. And how do you tell that? How can you tell that? You've got to get into your phone or know a little bit about phones to be able to tell. Okay, thank you very much. Sure. Okay, we're taking phone calls. Speaking with author Wynn Schwartau, 212-279-3400. Good evening, you're on the air. Thanks so much for that. Good evening. Hi, Emanuel. Yeah, on the topic of communication security, I want to relate an experience that happened to me. I have just a... Okay, speak up because you've got some hum on your line. Sorry, yeah, I have just a Panasonic answering machine. Someone was leaving me a message, and in the background I hear, like, sounds like cops, like, monitoring it and at the same time mockingly making fun of the person's voice and whatnot. Is that possible, or how else could that possibly have happened? Well, wait, a Panasonic answering machine. I'm sorry, go over this one more time. Yes. Okay, and I get a message from someone. Right. And I can actually hear people monitoring and making fun of, actually, like, mocking the person's message as he leaves it. How is... You can hear them as if they were listening in on an extension or something. Is that possible? There's three possible ways that that could happen. One is, yes, they were really doing it and trying to make their presence known and be annoying. That's a possibility, unlikely, though. The second is that there was a crossed wire down on the switching and he just ended up on a party line somehow. And the third possibility is that your answering machine or some of the wiring in your house was picking up local police channels. Over to the radio, in other words, over to police radio. It's possible. It's happened before. I think the crossed wire scenario is probably the most common, but it's very unusual for one party to be able to hear a second party and the third party be able to hear the first party. It doesn't usually work like that. One other thing I do notice when I pick up the phone, I hear, like, a humming or a buzzing. Yeah, we hear it, too. Yeah, this is the line I'm calling you from right now. That's what I'm talking about, yeah. That's normal when you do connections like that. Well, I don't know. He shouldn't be getting this all the time, though. Yeah, but on that thing, I have that on my tape, actually. So what I did was I flipped it over to preserve it. I'm wondering if there's anywhere I could bring that to have that listened to, to have it, you know... No, audio analysis in that kind of depth to look for a signal below the noise can be done, but it's an expensive process. I'm not doing anything illegal. You don't believe me. No, no, it doesn't matter to me. I don't know. It's a funny thing. I just was curious if that was possible and how that could happen. Well, it can happen, but I think, as Emanuel says, more than likely, it's just a crossed wire. Yeah, thank you very much. All right, thanks for calling. And especially with a connection like that, I would imagine quite a few crossed wires someplace. 279-3400, we have some open phone lines, so if you have any questions for Arthur Winshore Tao or myself, Emanuel Goldstein, give us a call before 10 o'clock. 212-279-3400. Good evening, you're on the radio. I'm having a lot of trouble keeping it in my pants. I don't know where to go, what to do, or who to speak to. Well, speak to somebody else. Good evening. Okay, we got a dial tone there. Good evening. Yeah, is this the radio station? Yes, it is. Okay, I want to speak with Arthur and the guys about... Arthur. Okay. Who's Arthur? Oh, that's on the 2600 program. Emanuel. Yeah, yeah. Okay, close enough. Emanuel? Sorry? Is the gentleman's name Emanuel? Yes, last I checked. Okay, Emanuel, and what's the other gentleman's name? This is Winshore Tao on the telephone. You're on the air right now, by the way. Oh, gee, okay, great. A couple questions. Where does one find out more information, like what books to look at, BBSs, user groups or societies that would help the consumer of technology know or find out some of the hazards that are out there that exist? For me, with 2600 and some of their work, so can you answer that question? Winn, you want to take that one? Yeah, there's a lot of places to get information. Unfortunately, to date, there's not any one place. It's a moving target. I would get in touch with organizations like the Computer Security Institute, the ISSA, which is a security organization. You have ISP, which is a security organization up in the Boston area. There's a number of these around, and through them, you can find out. Then your resource list starts spreading very, very quickly because they publish so much information on various types of these crimes or activities, what have you. That seems like a real easy thing to do. I went to the library myself and researched switching circuits and things like that. It's a complicated subject. It's a very, very complicated subject, and the library is going to have very, very little on it other than some of the base technology of what's involved with switching networks and technology as a whole. What you're looking for is how is the technology applied from a security standpoint, and then you have to go to the security people and talk to them and get their brochures. You can learn an awful lot of it by even just getting product brochures from a number of companies to find out what types of threats they're dealing with. Is there any suggestions you would make of someone who's considering computer security as a profession? For example, ways of breaking into that as a profession, not in a malicious way, but career-wise. Once again, getting hooked up with the associations that deal with computer security professionals all across the country. You also have the ADP Auditors Association, which is nationwide. ADP? ADP Auditors Association. They deal with computer security. There's dozens of organizations that are all involved with it, and to start there to find out what the field's about, who the players are, and start making a few contacts would be the best place. The only other way to do it is working for an organization, a company that has enough concern about security to have a security department within their MIS or DP department. Great. Okay, thank you. Sure thing. Thanks for calling. The best way to get into the field, I guess, is just to go down to a bookstore that has a section that deals with these kinds of things. Some bookstores do. I think Tower Books has a section like that. Just read. Read and occasionally buy things, too, I guess. It's very interesting that I find most of the books on the subject not here in the United States, but over in Europe. That's interesting, too. When I go over there, especially in England, there are literally walls full of books on security. Why are they not here? Well, you can get into the arguments that we don't care. You can get into the argument that the government keeps some of them out. There's a lot of potential arguments. But overall, there is a heightened awareness of security in Europe than there is here. After all, they have the amalgamation of a number of countries, and they've had certainly a lot more terrorist problems than we've had. We've just been very laissez-faire about the entire issue. Are there people that don't want you to get your message out? Organizations? Nobody at this point, to this point, has said to me, shut up. I know there's a lot of talks going on in a lot of places about the messages that we are trying to get across and what we're saying. But the reactions thus far have been, by and large, positive, receptive, and I keep getting invited back. Okay, let's go back to the phones. 279-3400. Good evening. Hi. I don't even know if this is the right show to ask this question, but somebody told me the other day that if you have a certain phone number, you can dial it and tell if your own phone is bugged. Do you know about that? That's one of the oldest myths going around. There is no number to call to find out if your number is bugged, unless it's the number of the person that's bugging your phone and you simply ask them. Some people claim that by calling the ANAC number, which in New York is 958, and that will give you your phone number back, if you hear a reorder, fast, busy, afterwards, that means your phone is not tapped. And if you don't, that means it is. And since everybody in New York doesn't really hear a fast, busy after that, a lot of people assume that phone is tapped. Believe me, there is nothing that simple that will tell you. What do you have to do to tell? Wynn, perhaps you'd like this one. The only way you can tell if you're tapped is if somebody has a radiating tap or a low impedance tap really close to your phones, your house. If it is tapped professionally, forget it. You'll never know. Okay. Thank you. Okay. Thanks for calling. You know, there's a lot of people out there that think they're being tapped. What do you attribute that to? That rumor came back from the old technologies of the 50s, when the types of taps that were used were direct inductive loads on the lines, and there was a way to measure them. But with the new techniques that have come out in the last 10 years, there's no way. Why are so many people so concerned? Do you think there's overwhelming paranoia in this country, or do people not trust the technology? I think it's a combination of the two, that we are taught in one way, trust computers, trust them, they'll give you the right answer all the time, yet we're always running into computers, not working as the brick wall to making a hotel reservation or getting on a plane or your car reservations. I think there's definitely a schizophrenic attitude towards how good and necessary computers are, and we haven't really molded into it yet. And that can certainly help breed a little bit of paranoia, and then there's certainly whatever distrust levels of the government and what's capable of being done, and that paranoia's not left. Do you run into a lot of blind faith, people believing whatever the computer says, no matter how absurd? Very, very unfortunately I do, and I find it more often than not occurring with spreadsheets, and people just accepting them and not even bothering to check them. People trusting their calculators, and when they multiply 7 times 6 and end up with 412, they accept it as the answer, and I have a real problem with that. I'd love to be able to market a gag calculator that maybe just gets one out of three things completely wrong. I love it. See how far it goes. That's a great idea. Let's go back to the phones. Good evening, you're on the radio. Okay, how are you guys doing? We're doing fine, how are you? Okay, I've been listening to the conversation for a while, and I happen to work in the business, telecommunications industry, and some of the conversations you would hear in those COs just checking lines out are hilarious. For the average subscriber, I think the main worry is for like multiple dwellings where they have lines running into all varying floors of buildings and so forth, and just cables running up alongside buildings, or outside backyards and all that kind of thing. People can just basically stick their heads out the window and tap into a line and call Poland for the weather. Off your line. As far as the tools of the trade are concerned, you can tap into a line with an inductive pickup, otherwise what they call a sniffer. You can hear any number of conversations going on. With data communications, the signals that are being emitted from those systems are so numerous and so complex that for you to discern, I'm talking about through the airwaves, for you to discern one signal from another that's being radiated from that system with every amount of metal and cable and power system that's involved there, it would be pretty rare. With regard to the hackers as such, nowadays they're employing these redial systems where you dial the computer system up and then it goes ahead and redials you hang up and then it dials you back. As your guest said earlier, like IBM with their main communication systems, with their secured lines, they use encryptors, which requires you to have an encryption device. They change it on a weekly basis from one location to another. They change their encryption sequences on a weekly basis for their secured lines. There was a communication company here in Manhattan, these OCCs, for example, the common carriers like MCI and Sprint and GT and so forth, they operate in commercial spaces, which is not like a phone building where they have a 24-hour security guard operating all day and night and their doors are really tight, really well secured. As opposed to a commercial space like Top of the Sixes, for example, or the JCPenney building or something, where anybody can walk in there. They typically have people there 24 hours a day, but they might have like one person on the shift and the facilities are huge. And anybody can just walk in off the street and with a screwdriver gain access to the entire facility. They don't necessarily, in order to disrupt service, they don't have to get onto that floor necessarily. They can go in there and throw a knife switch and knock the whole place off the air. So basically you're saying that security measures in the computer industry are adequate? Well, I would say as far as communications, there's a number of ways in which you can stave off, I would say, most of the hackers. But for the sophisticated clandestine type of operations, these people have spent enormous sums of money into doing that specific thing. As far as getting the general hacker off, that would be a pretty simple matter of just employing a redial. And they have the ANI devices, which you dial up somebody and they can see who exactly called you up. You're making a good point, but the key operative word is what you said in there is can. And yes, all of the technology, all of the defensive measures are available. There's no question about that. The point is that they are not being used, by and large. And oftentimes when they are used, they're being used incorrectly. Let me tell you something. When I was working with a company here in Manhattan, they changed my shift. They put me, I was working midnight. I worked all three shifts at these communication companies. And just as a matter of course, as I said earlier, you can go ahead and test the circuit. You might just get so bored sitting around the CO and plug up on a circuit, you know, just playing around there. Or I shouldn't say so much so far as playing around, but testing a circuit out and plug into a conversation that is kind of spicy. And you sit there and you're looking at the guy next to you and everybody's cracking up. Because it sounds like one of these 900 numbers and the guy on the other side, you know, sounds pretty heated. And you're cracking up. You might put this thing over the loudspeaker in the whole CO and have everybody on the floor rolling, you know. But my original point was that I remember working for an outfit and you come in there and the whole place is disrupted. You come in in the morning, that is, and the whole place has more or less been burglarized in a commercial building in Manhattan. As opposed to, say, like an AT&T office or, you know, one of these other major carriers, for example. These OCCs operate in commercial properties, okay, where they would rent the floor, two floors out of a building. They don't employ that type of security in those buildings. They might have an employee working there on the circuits. Well, the whole point of a lot of what I'm saying is that in distinction to those types of crimes, it's easier to listen in than it is to break in. And most of these techniques that I talk about in my book and I speak about are, by and large, invisible and done by remote control. So you eliminate, to a large extent, the chance of getting caught or identified if you're good at what you do. Right. Well, you're referring more towards the professional, and this would be more... Oh, I'm not talking professional. I'm talking this equipment is available. You can go out and buy it off a catalog from the street. I'm not talking anything terribly sophisticated here. The only thing that's sophisticated, really, is the empty bomb. Everything else is available, standard catalog-issued type of equipment, and it's knowing how to use it. That's all it is. Well, there's a place right here in Manhattan that sells all kinds of goodies over the counter. You have a computer spy... the spy shop. What's the name of it? The spy shop, yeah. Yeah, it's a nationwide firm that sells defensive measures and eavesdropping products, yes. Yeah, and I know that, you know, for certain applications, you know, what I mean to say is sophisticated. For the average Joe Blow who happens to, you know, spot something and say, oh, this is an interesting phenomenon, okay? Let me see how far I can go with this. There's not much in the way of, you know... I do know of an instance where one of these common carriers, where they had a dial-up modem, and somebody knew, you know, the protocol of the system, and they got into the system, okay, and jimmied up a patch in the machine, and at a certain time of the day, man, this thing, it blew the system away. The company, the downtime was a couple hours, because this particular system had download, all kinds of software, too, all kinds of controllers and so forth within the machine. In the meantime, while the system is down, they're losing $1,000 a minute in the interim, conceivably more than that nowadays, and blew away their entire software. I mean, I'm talking about not just the software, but their call information on the machine as well, all because they didn't have a redial system that dialed you back out. Well, redial is certainly one of the mechanisms that is available. There's a lot of methods that can be used. Simple switch on the outgoing line of the, you know, on the incoming line of the modem. The defensive technology is available, yes. And lots of times the most secure system is the simplest as well. Listen, sir, thanks for your call. We're out of time, so we're going to have to leave it at that. Winshore Tao, closing words from you and information on how people can get your book and perhaps get more information about what you're up to. If people are interested in what I do and what I'm involved with, where I'm speaking, et cetera, they can certainly call me or write me at my offices. Want me to give the number? Sure. The phone number is 615-883-6741, or you can write me at 3108-NOBVIEW, and that's in Nashville, Tennessee. For terminal compromise, it's available at all the major bookstores, Walden Books, Crown, Barnes & Noble, what have you. It's called Terminal Compromise. It's $19.95, and it's a heck of a good read. Okay. I want to thank you for being with us tonight on Off the Hook. Well, it's my pleasure. I'll be talking with you again in the future, I'm sure. I'll be happy to help. Okay. Good talking to you, Emanuel. Bye-bye. Thanks. That's the show for tonight. We'll be back again next week at 9 o'clock for another edition of Off the Hook, where we'll be talking about all kinds of technological issues. So until then, stay safe in the world of technology. Stay tuned for The Personal Computer Show next on WBAI-New York. WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York WBAI-New York