We'll start with Sherlock Holmes and the Adventure of the Blue Carbuncle, and that will be followed by Charles Dickens' A Christmas Carol, presented by Craig Wichman and the Quicksilver Radio Theater. That's six to eight this Friday morning, Christmas morning, here on WBAI New York. Join us, won't you? Comfort and joy indeed. The time is just about 7 p.m. 702, if we're being specific. You are listening to WBAI 99.5 FM, and it's time for another exciting edition of Off the Hook. Now I can't make a call. We couldn't get much worse. But if they could, they would. I hope that's understood. And a very, very good evening to you. The show is Off the Hook here on WBAI New York, and Rob DeFirefly here with you, and I'm joined in the studio by Mike, and on the phone by Bernie S. Greetings from Philadelphia. I can barely hear you, Rob. Okay, let's see if I can fix that. Joined on the phone also by Emmanuel. Hello. And Kyle. Hi. Are you guys having a moment of silence? No, I'm talking, but I don't know. There's some goings-on. Well, we hear you now. All right, good. So I was wondering where you guys are, if you're in some exotic far-off land. Well, you must know exactly where we are. We're parked outside of McDonald's in Queens. Now, it's not because we went there or anything like that. It's because that's as far as we could get, and it's also where we could park the car. We were trying to get to the station pretty much all day, but it was raining, and when that happens, our roads flood, and people drive even more ridiculously than they usually do. So we decided to cut our losses and just park here at a side street in Queens and do the show from the comfort of a car rather than try and get there and be a half hour late. Okay. So this might be the first-ever edition of Off the Hook broadcast, partially from a McDonald's. Yeah, that could be a first for the show, but it's just, I think, better to not add to the stress out on the road. And really, it's amazing. There's puddles everywhere, guys, like really big ones. Whole off-ramps are puddles. It's remarkable. Yeah, we used the Waze navigation system to try and get to the station, and it was telling us about floods, and then it would direct us directly into the flood. So I don't understand what the logic was. And the final straw was when it said, okay, I can get you there quicker, but you have to go up to Manhattan, pay a toll in the Midtown Tunnel, then go back to the Brooklyn Battery Tunnel and pay another toll. Two tolls to get to Brooklyn from Brooklyn made no sense at all. So that's when we decided just to go to Queens and relax. I mean, I thank you for supporting the public transit infrastructure, which is what the MTA tolls go for. I think you should have done it. It wasn't our idea. I think Waze is owned by the MTA or something, because it never fails to try and direct you to a toll, even when you don't need to pay one. But that's neither here nor there, because, well, we're here and not there, and we're going to try and do a show on this holiday period of the year. And we're sorry that we can't be there in person, but you know what? You guys have more space, finally, in that grand little room. You're here in spirit and also on speakers. Nothing says a happy holiday like talking on the phone. That's true. And Bernie, can you hear us okay? Yeah, I can hear you guys just great. You know, a funny thing is that you're the clearest one of them all, as far as the people on the station. You're coming through loud and clear, and the other guy's kind of a little muffled. I'm working on that. Things have been rearranged since you were here last. Really? Yeah, you could be brushing up right now if you were here, but you're not. Well, what's the point? It's going to be changed again next week, so I'd have to brush up again. Hey, so we have lots to talk about, and not all of it is happy news. In fact, I'd say probably most of it isn't happy news. We just found out about 12 hours ago when daytime happened in New Zealand that Kim Dotcom lost his case, or at least initially, he was trying not to get extradited to the United States. It's really amazing. He's never been to the United States, but somehow he's being extradited for running a server in New Zealand and annoying the authorities here. Do I have a better way to describe it, perhaps? I could tell you how much they're accusing him of costing the record industry, as it were. It's about $500 million is the number that's been put on the pirated content his site posted. His site being Mega Upload. It's now Mega, yeah. It's now Mega. Although he's personally not involved with Mega these days. He said some time ago that he doesn't trust the people in control of Mega, and he wouldn't use Mega. Well, you know, that's beside the point, because at this stage, I wouldn't trust the internet or anybody after going through what he went through. What we really should consider, though, is what it was he actually did years ago. I'm looking into this, and I don't see anything other than running a successful internet service. And okay, you can say some people used it to pirate material, but there's no indication that he was one of those people in any way. But are you suggesting that the law of the United States of America shouldn't immediately apply to, say, countries on the other side of the world? Well, let's try that for a little while, see how that works out. How is it that somebody so far away who's never been to this country and who has really no investments in this country at all can just be dragged over here against his will? I mean, imagine if that were the case with every other country in the world. And we, you know, tonight, somehow we offend somebody in, oh, I don't know, Botswana. And before you know it, there's a, well, I guess you get a free trip to the country out of this, but you have no say. You wind up getting dragged in front of a court in some foreign land. And the whole thing is just really insane. What do you have against Botswana? Well, I was just out of the first country I thought of at random, so actually they're number one in my eyes. All right, all right. It's also worth noting, I think, that when the U.S. basically coordinated a raid on his mansion in New Zealand back in 2012, took basically all his personal belongings, seized all his assets, both in New Zealand and in other countries where he had bank accounts. He went to court to get his stuff back, and what's called the High Court in New Zealand ruled that the raid was completely illegal. And then the Supreme Court of New Zealand also ruled that this raid was illegal. So you would think that would be the end of the case. But no, the U.S. figures, well, if we can't win under New Zealand law, we'll bring him to the U.S. and we'll prosecute him for under U.S. laws, even though he didn't do anything in the U.S. and has never been in the U.S. Yeah, I'm looking at a story from stuff.co.nz, which points out that although the U.S. didn't need to prove the charge, at this point, counsel had to at least prove there was an answerable case overseas to fulfill the extradition requirements. The United States also sought to extradite Dotcom's mega co-founders and colleagues, Matthias Ortmann and Bram van der Kolk. And all four of them are apparently facing money laundering, racketeering, and breach of copyright charges in the U.S. following allegations that the founders of Mega Upload, formerly a popular file sharing website, were knowingly allowed allowing copyright material to be shared on a large scale. Why is it the United States is the only country that would have that kind of interest? Are they suggesting that he could be tried in every country in the world because of similar concerns? Maybe it's just that we were the first to go and grab him, so now all the other countries are out of luck because we've got him and we can start punishing him. Well, what Kim Dotcom said after the ruling was, this is not the last word on the matter. We have filed an appeal. We're disappointed. That's all I have to say. I wish everybody a very Merry Christmas. I'm going home now. And hopefully he gets to stay home. He lost his mansion, but losing the ability to live where you want to live is something far worse. And it's going to be interesting. I imagine they would probably bring him to New York if they did extradite him. And I can only say that the hacker community, I think, will turn out in droves to show their support and their disgust at this particular turn of events. Definitely. During court hearings, Mega was said to be one of the most successful internet service providers in history, with more than 1 billion unique visitors in its lifetime. Yeah, it was essentially a cloud storage service that encrypted the traffic for users. I mean, I don't believe anything this guy says, though. I mean, that doesn't make him worthy of what's happening to him. But also, I don't believe anything he says. Why? Because he's, I mean, he's busy comparing himself to people like Snowden and Assange, who have done a lot more than make themselves wealthy. He just seems untrustworthy, which, again, is not reason enough to prosecute him. But anything he says, I want independent verification for. I mean, you have to have a reason. I mean, is it because the guy's name is .com? Because he changed it? Because he made a lot of money? Because he ran a site that other people use for nefarious purposes? I think you have to have a reason to say you just automatically don't trust the guy. Yeah, generally probable cause has to be more than the guy's a jerk. Yeah, I agree that he, you know, I have not seen evidence sufficient to make me think he should be in jail. But I also have seen evidence sufficient to make me not think that, like, I should believe him when he says he's the biggest, most popular man in the world. And like, yes, his last name is part of it. Which he chose. It's not like a family last name that I'm making fun of. He said he's the biggest, most popular man in the world? No, his website. He said his website is the biggest, most popular this, that, and the other. Rob just read it on the air. Okay. Well, I think some statistics indicated that there was about a billion visitors. His statistics. Okay, he said that. That's true. I don't know. Well, we'll definitely be keeping an eye on this as it continues to develop. Yeah, again, the appeal has been filed. So it's not the last word. But just think for a second about the hell you have to go through just to battle this in the first place. It's been going on since 2012. That's three years of just fighting to not be dragged out of your country and taken to a strange foreign land. Just think, God knows what kind of punishment. Oh, and one thing he wants to bring, U.S. experts, he wants to bring expert witnesses from the U.S. who are familiar with U.S. law and U.S. copyright law. But the U.S. won't let him, won't release any of the funds that they've frozen in his bank accounts in order to pay the expert witnesses to testify. So it kind of leaves him in a tough situation. Well, you know what? I think we can find some expert witnesses that will do it gratis because this is an important case. And I think the call will go out for people that volunteer their time. And, you know, when he's victorious in the future, I'm sure he'll be generous. Absolutely. All right, guys, what's this about Juniper? I'm hearing that there's this backdoor in Juniper routers now that conveniently is happening right when we're talking about how having backdoors for encryption purposes and protecting us against terrorists, how that's a really, really bad idea. And all of a sudden, this story comes along where Juniper is backdoored and people realize that, you know, when you do that, it's not just a good guy to get access. You have any more information on this? I mean, information is still filtering in. But Juniper is a large company that makes networking equipment that really powers a lot of the Internet and a lot of corporate networks as well. And they were having an audit of their code and they discovered that somehow somewhere in their code was a backdoor, were actually two backdoors, one that would allow people to log into their products with this secret password that was not the password set by the owners of the equipment. And another one that would make it easier to spy upon encrypted traffic as it went over the Internet. So if you were connecting to your corporate network and you were encrypting your connection with a VPN so that your private corporate data couldn't be read by anyone else, well, someone could read that data. And what's unclear at this juncture is who that someone was. There's some evidence to suggest that it's the Five Eyes folks, the UK and the US government spying, the NSA, GCHQ. It's not 100% certain yet. If Juniper knows, they're not saying. They may not know. But it's really worrying that this kind of stuff was just inserted into these products without even the knowledge of the company that does it, or they claim without their knowledge. They've released patches. So I guess if you are using Juniper equipment, you should be sure to upgrade. But, you know, it's who would do such a thing and why is a question that a lot of people want the answer to. Yeah. And one of the reasons they were investigated by the FBI, I believe, is because Juniper itself is, as you said, a manufacturer of switching equipment that supports major ISPs and infrastructure of the Internet, as well as businesses, but also government. So the government's own networks were using some of these platforms. And thus, when Juniper announced this, I think sent a bit of a shockwave through all institutions who use this kind of hardware, really, because anyone could have been susceptible and anyone could use this, in theory. And also, there was an amazing article that came out today on The Intercept, and it quotes a document, a top-secret document, dated February 2011. And guess who revealed that top-secret document? None other than Edward Snowden. So it's great that we can use these documents that Edward Snowden has liberated as evidence of things that are going on that might not support what governments tell us. But let's read this brief excerpt. The six-page document, titled Assessment of Intelligence Opportunity, Juniper, raises questions about whether the intelligence agencies were responsible for or culpable in the creation of security holes disposed by Juniper last week. While it does not establish a certain link between GCHQ, NSA, and the Juniper acts, it does make clear that, like the unidentified parties behind those hacks, the agency found ways to penetrate the NetScreen line of security products, which help companies create online firewalls and virtual private networks, or VPNs. It further indicates that, also like the hackers, GCHQ's capabilities clustered around an operating system called ScreenOS, which powers only a subset of products sold by Juniper, including the NetScreen line. And Juniper's other products, which include high-volume internet routers, run a different operating system called Junos. This whole thing is really fascinating, and I think it's going to be very difficult to argue for backdoors in the future. What do you guys think? I think it will be exactly as difficult as it is now, which means that politicians who don't, who are either willfully or unwillfully not in possession of the facts, will continue to make those arguments. And they'll continue to be nonsense arguments. But, you know, that never stopped anyone. Well, OK, but you're talking about politicians. How about the average person who thinks that that might keep them safe from terrorists seeing this story this week might convince them otherwise? I am not in touch with what the average person thinks, if there's one thing I've learned over the years. OK, well, how about the sub-average person? Look, I mean, I think it's clear, I think it's been clear for a long time that backdoors like this, there's no way to make backdoors like this in a way that net enhances security. And that, you know, there's lots of non-terrorist uses for encryption. Like I said, if you have a company and you don't want your competitors reading your business plans, you want encryption. If you have ever bought anything online and you don't want nefarious actors reading your credit card number, you want encryption and you want this encryption to work and you don't want it to be vulnerable to backdoors like the ones that were found in the Juniper stuff, because we don't know who had access to this backdoor. Maybe we'll find out in this specific case, but maybe we'll find out who put it there even. But we might not, we might never know if someone else found the backdoor before Juniper did. And so there was even an extra unintended reader of all these communications. We'll never know. And that's why this stuff doesn't work. And that's what security experts have been saying for a while. Now they have another piece of evidence to bolster their case. But for the entities that just don't want evidence and just want to compromise all of our security in order to advance their own agendas, they're ignoring all the existing evidence. I don't know what I think one more piece is going to do. Mike, did you actually use the phrase nefarious actors just now? I did. Yeah. Nicely used. Would you prefer a different phrase? No, no, that's fine. Bernie, I'm curious what your perspective on all this is. Well, I've been reading a little bit about this, and I think that this could have been a state actor, you know, a government put this in, or some people are saying it probably wasn't like NSA, because the way they did it, they just put the password in plain text right in the code, right in the code. So that's typically not what they do. But who knows? It could have been a private actor as well. It could have been a disgruntled employee who slipped in this back door and then decided they could sell it for a lot of money to interested parties. These are not conflicting theories, by the way. It could be a disgruntled employee in the payroll of a state. It could be anything. Sure, sure. So I'm sure there'll be investigations, and there'll probably be cover stories and distractions. We may never know why this really happened. We may hear stories that may or may not be true. But the bottom line is, you really can't – what of this stuff can you trust? I mean, governments trust the Juniper Networks routers and VPNs. So what is even trustworthy anymore? The trouble with looking at it as a very incompetently implemented backdoor and saying, well, it can't be the government, I think we've all experienced the government doing things in stupid ways in the past. But also, this is what happens when you – with backdoors in general. When you have access that you do not control, access that you do not control can then happen. I mean, I don't want to overstate the incompetency of this backdoor. It was apparently quite competently done in that it was snuck in there for a period of years. Right, right. And Juniper is, I assume, the kind of company that probably has done other code audits in this time period and missed this. So there was some degree of competence here. Whether that points to a state actor or not, I don't know. Well, I just hope that we can use this as further ammunition in the case against having backdoors run by any kind of authority. It's always a bad idea. It always backfires. Wrong people get access. And we need to remember that. Yeah, it's a great example of that. I wish – I hope your optimism is well-placed, Emmanuel. I really do. Well, regardless of whether or not it works, it is something that proves the point. So I think we should not neglect that fact, that here's another example. And it's something that made the media, so maybe people will remember it. But other things that have been talked about in the mass media in the last week is, of course, the – includes the presidential campaign, and what happened between Bernie Sanders and Hillary Clinton involving that database. I found this to be really a fascinating story. Apparently what happened was there was some kind of a data glitch in this database that both the Clinton campaign and the Sanders campaign had access to. And the Sanders workers were able to see information from the Clinton campaign that they weren't supposed to see. I think there were a total of about 25 searches that were conducted. Now, honestly, if this was really a big deal, I think there'd be a lot more than 25 searches for data that could prove valuable. But my real question here, and maybe somebody has a better understanding of this than I do, why in God's name do both campaigns have access to the same database? And why are they able to use this on the same machine when there's a problem like this? It should not be something that could be compromised. In other words, what I'm trying to say is the data should exist in their possession, in their offices, or on servers that they control, not a server that a third party controls that shares it with different campaigns, because things like this are bound to happen and probably not be detected, too. I'm sure they have happened in the past. Can you imagine if the Republicans do it this way, how many different campaigns are looking at other campaigns? I don't understand what the system is, what kind of information it holds, and why it's necessary to have it configured in this manner. Does anybody have any insight on that? Going by what they were saying during the most recent debate, which I was watching for my sins, apparently it was a server that was controlled by the DNC, the Democratic National Committee. So they're both using different parts of the Democratic Party's own machine to run their various campaigns off of, which is strange. Why would they be doing this when they're competing campaigns? Well, the short answer is that this data is expensive to collect. It's not just the private data, it's the voter rolls and the voting history, and I don't know what else, but this kind of data that there's a company that it's their business to aggregate all this data and sell it to campaigns. By the way, dear listeners, your data is in this database. I'm surprised. And so when you start a political campaign, you don't want to presumably go and collect all this data yourself because that would be expensive, and there's a company that can sell it to you for less. It sounds like this company is a little bit incompetent at their security practices, and that to me is more of the story than that the access took place. But it's unsurprising to me that they rely on a third party to at least collect this data and update it, and then they can make their own notes on it, and the competing campaigns obviously should not be able to see each other's notes. Well, are we talking about voter records that are open to the public? Is this the data that they were buying? I don't think they've quite made it public what the data actually was. Yes, it actually did include that data, but it included a lot of other data that each campaign created with the public voter roll data. Like, the bottom line is what this data comes down to is registered voters who are registered Democrats who are most likely to vote for this candidate, that candidate, maybe on particular issues, that sort of thing. So the master data list is available to all the DNC presidential candidates ostensibly, but then each campaign has their own customized overlay of this data with information that they have created or ferreted out and laid over that. But one interesting thing about this is this company, this vendor that put out this faulty product that allowed not only Bernie Sanders' campaign to see Hillary Clinton's data, but vice versa. Everybody was seeing everybody's data, according to some reports, at least for a limited period of time. The company's called NGPVAN, and the NGP part stands for a guy named Nathan Perlman, who was Hillary Clinton's chief technology officer in her 2008 campaign. So you could have conspiracy theories about this, but I just think that's an amusing fact that this is a Hillary Clinton guy who sold this product to the Democratic National Committee. Well, okay, what I don't understand, then, and I don't think anybody can explain this to me, okay, fine, you buy this data from this company. Why in God's name would you store your data on the same system as your competitor? If the service was worth anything, obviously that data would be segregated in a completely different place that was not able to simply have some firewall come down, and all of a sudden everybody can see everything. I mean, this is security 101 here. You would think. I mean, I don't know what exactly the architecture should be. I don't think I can second guess their architecture without knowing more details about it, but it's clear from the effects that they have done something terribly wrong, and yeah, they should be in a lot more trouble, I think, than this one Bernie Sanders former employee. You want to know about the architecture, Mike? Okay, ask any sixth grade kid who has a computer that he shares with his family, and the data that he wants to keep secret from the rest of the family is probably more secure than the way this was done here. Yeah, and it was certainly, I think, the way they were using the data that was the concern from either side of the campaign. It's sort of along the lines of what Bernie was saying previously. So it's my read that in that light, that why not, you know, if you're going to look at this system, even if it's set up for you to use and evaluate the data for your campaign, you might maybe, with the insight that it's shared in this way, you might move the analysis to a different machine. Fine, you know, use whatever accounts the committee gives you, and glean the data maybe in a sort of manual way, or otherwise export it so you can use it elsewhere and keep that analysis safe. That would have been sort of logical to me, but maybe it was a revelation that they were co-located in the first place, and thus the story. I mean, there's plenty of businesses that keep multiple companies' data on the same machine and don't make this kind of error. Like every business, basically, that provides any internet service ever is able to keep multiple companies' data on the same machine without letting one company see the other company's data. Yeah, so do you think Coke and Pepsi would be on the same machine? If they both use Google, then yeah, sure. No, I think Pepsi uses Yahoo, and Coke uses Bing. Maybe, maybe, Kyle. Anyway, the Bernie Sanders campaign, or at least the Bernie Sanders spokesman, Michael Briggs, said that four Sanders campaign staffers accessed the Hillary Clinton data on this database, and three of them did so at the direction of their boss, a guy named Josh Oretzky, who happens to live a mile from me here in Philadelphia, and Josh Oretzky was the guy who was fired. Josh Oretzky told CNN on Friday morning, this is according to the Washington Post, that he and others on the campaign discovered the software glitch on Wednesday morning, and they probed the system to discover the extent of their own, of the Bernie Sanders' data exposure. He said there was no attempt to take Clinton's information, but he said he took responsibility for what happened. So, I don't think he should have taken responsibility for what happened. I think the Democratic National Committee should take responsibility for what happened in using this flawed product. All right, Bernie, just one question. How do you know he lives a mile away from you? I've read this, and I met the guy at a campaign event several years ago, so he lives in Fishtown, which is just like a mile from me. I mean, you can also find out, Bernie, where he lives if you request from the Secretary of State of Pennsylvania, where you both apparently live, the voter registration rules, and then you can get his address and just plot it on a map. There you go. I agree with what you just said, Bernie. I think, at worst, he was doing due diligence for the campaign to try to figure out what the heck's going on. Isn't this what hackers frequently get blamed for? Aren't hackers frequently blamed as the messenger? They're blamed, you know, the messenger is being blamed, as opposed to pointing out, like, hey, there's a problem here. I'm going to document the problem. And he was documenting it. And he wasn't keeping it to himself. He was telling other folks, like, this is what's going on. And then he gets fired. So I don't think Bernie Sanders himself really understood this thing, because he apologized to Hillary Clinton at that debate. And I don't think he should have apologized, frankly. Well, I think he just saw something that was going to get in the way and had to be dealt with in a mature manner. And he did the quickest thing he could think of to expedite that. But yeah, I agree. I don't think, based on previous knowledge of how these things play out, that there was actually any kind of crime or even breaking of the rules. I don't know if that happened. I don't see evidence to suggest anything more than, wait a second, do we really have access to this? Let's do a search and find out. And 25 searches might sound like a lot to some people, but it really is not very much at all. Yeah, I mean, there's really no way to know, because the political campaigns want this story to go away as quickly as possible. They certainly don't want us talking about the fact that this one vendor has all this data about everyone for a very long time. They don't want us to keep talking about it. So we'll probably never know exactly what this guy did and if his firing was justified or not. Well, one thing I do want to know, and I hope somebody listening can tell us, what system do the Republicans use? Do they use something as boneheaded as this, where they're all on the same machine? Or do they use their own private systems everywhere? Is it accessible in the same way? Do they have the same mistakes being made? I would like to know more. They're probably, unfortunately, not using the Democratic National Committee's machine. Well, that would be funny if they were. That would be about as absurd, wouldn't it? I mean, there's definitely vendors in this sort of space that do do business with both Democrats and Republicans. Apparently, NGP-VAN is not one of them, but there are others who do. Well, now, also there's this group known as SOBH, Cyber Jihad. I'm sure you've all heard of them. They're an Iranian activist group. They've claimed responsibility for a cyber attack that gave it access to the control system for a dam in the suburbs of New York, and an intrusion that one official said may be just the tip of the iceberg. SOBH, Cyber Jihad, sent a message through another Iran-linked hacker outfit called Parastoo, promising that it would release the technical information that proves it was behind the 2013 breach. The hackers claim they kept quiet about the attack for two years because of a state-level warning not to go public with it for the greater good. And it wasn't until The Wall Street Journal reported the breach this past weekend that SOBH, Cyber Jihad, said it decided to take credit for the operation against, and here it is, folks, write this down, the Bowman Avenue Dam in Ryebrook, New York, which is just north of New York City. Apparently that dam has been compromised by Iranians. My question, and I've asked this question so many times, is why in God's name is a dam on the internet? I mean, is there any reason in the world for that to be the case? Maybe this has something to do with why you're flooded out and you couldn't come to the show today. I mean, so what is, I mean, I guess I know your proposal is just run dams the way they did a hundred years ago, but like there's value in people being, authorized people being able to see the status of dams and control them without, you know, physically driving to them. Wait, you're saying that there aren't any people at this dam? Basically, it's controlled remotely? I don't know how this dam operates. I don't know a damn thing about it, but there's value in being able to see, you know, even if there's operators at the dam, there's value in being able to see things on a sort of network wide level, see all the dams and make decisions that way. It seems fairly obvious to me that there's value there. Why this thing is implemented in such a way that, you know, unauthorized parties can get to it, that I don't know. Well, I don't know why you can't have a dam network that is basically closed to the outside world and just people can be on the dam network and talk amongst themselves without the whole world being able to have access to it. Because this is the year 2015 and we're building the internet of dam things. Seems that way. There are some damming holes in their security, it's true, yeah. Yeah, this is something that, you know, again, security 101, you don't have critical infrastructure available and accessible through these kinds of online methods. If you need that convenience, just understand there's a risk attached to that convenience and you need to be damn sure, no pun intended, I really meant it that time, that you've looked at all the risks and you're confident that there aren't security holes like this. Because this is, the problem is not a bunch of hackers anywhere, the problem are, it's people that don't think these things through and they're in charge of critical infrastructure, they're making major decisions and they're making really bad decisions. I think also it has a lot to do with the way they implement the machines and the systems in these kinds of environments. A lot of times they'll get equipment that uses off-the-shelf operating systems and then you get employees and workers who are maybe co-located, they're in the facility and the process machines are right there at their fingertips for certain amounts of information and they end up using it for other things. I had an experience like this working in a production environment where a process control machine was also being used to surf the internet because it was right there and while everything with the process was fine, but operators would sit around and browse the web. As soon as our manager found out, it was like, it was everybody's concern, no one was allowed to do anything and it became a big deal, but I think that's one of the hazards because the culture as well as the types of tools that are in these industrial environments, both of those I think are weak points that create these kinds of situations. It's really not hard to run a database and not have it attached to the entire internet. I know we've been doing this now for 30 years and there's just no reason to have something accessible and you can do all the things you need to do using slightly different habits to access people's accounts or whatnot, but you have to be aware of individual security and security of your company or operation as a whole and I think what we see week after week when we report on this show constantly are examples of that not happening and people just not learning. So Emmanuel, I think I disagree with you. I don't think this proves that the security 101 has failed. I think it's proved that security 101 is insufficient. This stuff is really hard, apparently for everyone in the world except you. To make secure systems is hard, which goes back to the previous point of why we should not be spending our time explicitly making them weaker. I think we can all agree that's a bad idea, but getting this right is hard. No, it's not hard. Yeah, it is, Emmanuel. Well, it might be hard for you. It's not hard for people that know what they're doing. Sorry, it's not hard to keep data secure if you know what you're doing. That is a fact. I know plenty of people who spend their lives working on this stuff because it's hard. Okay, well, I mean, maybe they're all dumb. I'm certainly willing to concede that I might be dumb and maybe everyone I know is dumb. I don't know. But if that's the bar, then we need some really, really smart people. I'm sorry, Emmanuel. Just because this group, SOBA Cyber Jihad, claims to be a group of Iranians, that doesn't mean this has anything to do with a state action. This doesn't necessarily have anything to do with the Iranian government. I'm guessing it probably doesn't, any more than American hackers. Or acting on behalf of the U.S. government. So just because somebody's nationality may or may not be Iranian doesn't mean it's the Iranian government that has attacked this dam control system. It's not even a major dam. If someone was going to really cause havoc, this is one of the weakest, this is one of the least important targets that would be chosen. But if anything, maybe this will be good that this was caught, discovered. And then maybe the dam control systems in the rest of the country will get better security, dammit. Yeah, I think this is sort of the overlapping of technological solutions. The people in the facility are probably really still excited that they have computer controls now. I mean, that alone was probably an upgrade for that type of industrial system. The point is, I think that as these systems mature, as they become more connected, we need to be ever more conscious of the pitfalls of technological solutions and maybe step away. And I think to each point, really look for the simple, logical stuff instead of throwing tons of more technology at it. Because that begets more pitfalls, generally speaking. And let's put the Kool-Aid aside for a second, because the newest technology is not always the best technology. Sometimes, yeah, the way we did it 100 years ago might have worked better. We have to look at these things and say, what do we actually need for this to be able to do? And is it working now? Do we need to, quote unquote, upgrade something or change it? Lots of times, I don't know about you guys, but when I get an update to software or something else that I don't have a say in, it's worse than it was before. And the latest gizmos, the latest access, tying it all together, sometimes it's not the best thing to do. And we need to be able to have a constant conversation about that. Well, on that note, it might be trickier with both of you guys on the phone. But do you want to try and take some phone calls? I just wanted to mention one more story, and then, yeah, I'm all for it. But apparently, the state senate here in—actually, you know what? This is a state senate in Massachusetts. You know, that's another problem with all these stories that people send us, is that they don't say what state they're talking about. It's from the Boston Globe. So I'm making the assumption it's about the Massachusetts state senate. They've decided that your boss is not necessarily your friend, as in Facebook friend. The 2015 legislative session recently ended without much fanfare, but among the few bills moving forward was a senate proposal that would prohibit employers from asking job applicants and employees to hand over passwords for personal social media accounts or from requesting to be friended. And that law would also make it illegal for schools to make the same demands as students. You know, this kind of thing—it's another example of people accepting things they don't have to accept. But I'm blown away by this. People actually are asked and they comply. They give their passwords out to their prospective bosses or schools. How is that a thing that is even remotely accessible? I mean, so I think this is a good bill. I think we agree that bosses should not be in the business of demanding their employees' social media passwords. And I think that a law is the thing that will stop it, because a lot of people, when they apply for a job, you know, if—depending on the types of jobs they're applying for, they may not feel that they have the negotiating power to say no. They may need a job immediately. And they're willing to trade their social media password for that job. If there's another applicant who will provide it and you won't, you know, you might not get the job. So what this does is it levels the playing field. It allows everyone to say no. And I think we should have bills like this all over the place. But, you know, why do we need a bill? It should just be illegal to ask somebody to give up their security to give up their password. Where do you think laws come from, Emmanuel? Yes, it should be illegal. It's not currently illegal. How do we fix that? We pass a law. It just seems like something that's already not legal under some other law. But fine, you know, if a law will keep people from asking for this, then I guess that's what we need. But it just seems ridiculously—I don't know. I don't know about legal, but with many social media services, it is against their terms of service for you to share your password with someone else. So you would be breaking the rules of Facebook or whatever other site if you gave your password to that service to a prospective employer. I'd like to hear from our listeners, oth at 2600.com. Have you ever been asked for one of your passwords by a superior, whether it be a boss or a headmaster at a school or something like that? Let us know how you dealt with it, how they dealt with it, oth at 2600.com. I would ask the people here, but I'm pretty sure that none of us ever gave out passwords just because somebody asked for it. Never. I mean, no, I haven't. But, you know, not everyone's in the position that I'm in, so. What, the position of having privacy? Having their own choice in the matter? The position of being able to turn down jobs that I don't want. That's rarer by the day. Yeah. Okay. Go ahead, Rob. Okay, well, I just want to say we do want to try and take some phone calls. We'll see if we can make this work. 718-780-8888 is the number to call us on the air. So give that a try, and we will try and get you on. We just have a few minutes left, so if you want to talk to us, you should call now. It's true. So you were saying, Kyle? Oh, no, I was just saying they're probably not the type of jobs that demand that kind of scrutiny. But I also, I kind of hear where he's going. I think that there's some kind of validation there in that kind of scrutiny, which sounds really weird because it's counterintuitive. The law is supporting privacy, but I think there is some weird sense that we're accepting some situations where an employer might have to have access or that kind of access. It's akin to a background check. I really don't feel like a job interview should be like a background check. It should be different. I don't know. I feel like they then appear to have more authority than they do at all. All right, let's take some listener phone calls, see what they think. Good evening. You're on the air. Yeah, hi there. Let me turn the radio off. I got three very quick things. I am a systems level programmer. The business about these back doors that were mentioned, and I've seen this happen in many places that I've worked at and also do code audits, these usually get put in by somebody who's working on the project, usually when they're doing development or for maintenance. Sometimes they just get forgotten to be taken out. The business of when stuff is in clear code, that's where you can put a sniffer in there and you can run all kinds of tests. It's extremely common. Happens all the time. Okay, second thing. It sounds like you guys, and I assume you're not systems programmers, because it sounds like you're not familiar with system management mode. I would like you all to go to Wikipedia and look up system management mode. This is a whole operating level below systems level on x86s. It's the way that Stuxnet got violated and all the others. And if you follow the external links at the bottom of the Wikipedia page, I think things will be a lot clearer. And the third thing is there was recently an extremely good book on internet security written by a fellow named Steve Bellivan. He was at Bell Labs for many years, and he retired, and he's now a professor at Columbia University. If you go to Amazon and you search his name, Steve Bellivan, B-E-L-L-O-V-I-N, I don't know if I can give the press. It's an Addison-Wesley book, and it is truly excellent. It really explains what you got to do to protect systems. Thanks, guys. Oh, and Eric, have a good holiday. Bye-bye. You too. Thanks. Yeah, I mean, I think it goes to the point that this stuff is hard. It is. And that's why people make their livings working on it. But the people who can understand the hard stuff, it should be sort of standard procedure to take care of things like this before they get to the end user. The other question I ask is, is it necessary? You know, yeah, it's hard to do certain things. It's hard to go to Mars right now. That's why we're not doing it. When we get it right, you know, that's like nuclear power, for instance. That's really hard to do. We're not at a stage yet where it works. So maybe one day we will be, and then it's a good idea to do it, but not now. You know, things like that. Indeed. Okay, we've got time for maybe a couple more phone calls. 718-780-8888. No one on the line yet. Yeah, call now. I think we might be limited to one slot since we've got both Emanuel and Bernie on the line. We also learned that phone calls transfer themselves all over the station. All right, I'm going to interrupt you because there's some blinking ones now. Yeah, grab it fast. Good evening, you're on the air. Hello? Hi, how do you do? The Iranians are breaking into the, what was it, the waterfalls? A dam, I believe. Did you tell Donald Trump about this? He's going to make America great again, I mean, my God. Well, here's a sign. We'll get right on that. You can jump right on that. Thank you very much. Jump right into the dam, too. Yeah, I don't have Donald Trump's phone number, alas. If I did, there's so many things I would want to tell him. Why do you think that is, Mike? It's because he knows how to keep it secure, you see? Yeah. Yeah, I mean, maybe it's in the phone book. I haven't even checked, but we have another caller. You're on the air. Hello? Yeah, I'm calling about the elections at WBAI. Have you guys got any recommendations for that, or are you not allowed to do that over the air? Wait, which election are we talking about? The station board elections. See, I thought you were talking about the national elections in another year. No, these are more immediate. They're coming up, the deadline of January 4th to put in our ballots. And after trying to make donations, it got bounced, and not getting the access codes to vote in it, I finally got the ability to do it, apparently. And I'm wondering, it appears to me there's somebody trying to destroy the station who's on the board already, and somebody seems to be not trying to destroy the station. I wonder if you have any insights to that. Well, we're not going to use the show as a platform to endorse or not endorse, but my only advice is vote. And you can make an informed decision by doing a little research, reading some websites, searching in Google. You'll find what you're looking for, I think. Okay, I just had the impression that the peace and justice people were saboteurs. No comment. Thank you very much for your interest in taking part in things here. Let's see, have we got another caller? We have not. If you're calling us and it's still ringing, it's ringing somewhere else other than the board. We're seeing some ringing on the other phone here, where things have been getting bounced. So if you're on for more than a few rings, and it doesn't seem to be picking up, try calling back again. Right now, 718-780-8888. We can maybe get you in at the very last minute. Let's try this caller. Hello. Hello, this is the computer show. This is off the hook. The personal computer show is on after this. There was an appropriations bill that just passed to cover the government's expenses for another month. Yeah. In it, they stuck a bill that had failed in Congress because of public outcry, and it was to prevent people from suing their internet provider for the internet provider giving information about you to the federal government. Yeah, this is the CISA bill. It's terrible. I wish we had more time to talk about it, but we haven't. Okay, at least you know about it. Thank you very much. Yeah, I wish we could have done something to stop it, but as you say, it got snuck into the appropriations bill at sort of the last minute. The forces of darkness move quickly. It's only controversial to people who have interest in these issues, not to Congress people. Yes, indeed. Well, on that note, we're about to wrap things up for the year 2015. Thank you very much for joining us. It's not true. It's not true yet, but we're about to. We're on next week, Rob. We're on next week. Okay. And it's still 2015 next week. Are you guys sure? Yeah. Okay. Well, to get us some info before the end of the year, send us email at oth at 2600.com. Be sure to stay tuned for the Personal Computer Show. We're off the hook. This is Rob T. Firefly. Have a very good night. Bye. Bye. Bye. So I'll kill that plumber. So That's better than a bucket, let's get out of here! That's better than a bucket, let's get out of here!