It's as easy as talking to your neighbor to dial up a computer that's hooked into a telephone line.
"On-line services" such as Dialog and CompuServe hook their computers onto their phone lines and sell customers access to their huge databases. To keep track of customers and bill them for the time they use, the companies give each customer a separate account name.These combinations of letters or numbers are also used as customer passwords to gain access to the files.
"Computer networks" are large groups of computers all tied into the same system. Their files are just as open to any telephoner as on-line services are. If the network wants to restrict its files, it, too, sets up a password system for users.
Cracking passwords isn't easy for people. But put a computer to work on it, and it does the job in less than one-thousandth the time!
That's one basic problem with computer security. You can keep your computer data perfectly safe from harm so long as you're in charge of who gets at it. Connect the computer to a phone, and you give up security. Even the government can't lock its networks against intrusion.
Recently, a California astronomer who had an account with a military computer network discovered that hackers were using his password to gain unauthorized access to potentially sensitive data. Acting like our mothers taught us, he notified the FBI.
Not being computer-savvy enough, they doubted anyone could find out a person's password without his approval. Who could crack a military network, they figured. They shrugged and went on to the next job.
The stargazer knew that once connected to the phone, his keyboards might as well be set up on Main Street outside the local tap. So, being a good citizen, he became his own private investigator. He set a computer trap and sat back to wait for the hackers to fall in.
Meanwhile, the German telephone company began to suspect the presence of a computer-spying ring. They investigated and, via the password, were led straight to our stargazer. He told about his trap. Not only did it help the Germans identify the 10 in the spy ring, it also netted a solo Pennsylvanian snooper.
The damage was modest. The saboteurs got into only 40 of the 450 databanks accessible from the military network. They were probably picked for their spying ability, not their computer knowhow. If just two or three college computer wiz-kids had joined the ring, we bet they could have gotten into at least half the databases.
Do you know how tough it is to secure the average large-office computer, even one that's not hooked to the phone? Around our office, the rule of thumb is "Don't use `computer' and `secure' in the same sentence." They just don't go together.
Back in 1984, we were asked to design a secure computer system for a financial group headquartered on a Mediterranean island. They wanted to equip their agents with portable computers and send them out to get orders on financial transactions. The agents would telecommunicate the orders, and the head office could act on them immediately.
The only problem was that the firm wanted 100 percent assurance that neither the competition nor certain government agencies (which they wouldn't name) could tap into their computer-to-computer data exchanges.
Then, as now, we couldn't promise them 100 percent. Instead, we described and estimated costs for three different systems, one cheap and simple, one sophisticated and expensive, and one middling in both regards.
To crack our toughest system, we figured, would cost an "enemy" over a million dollars in equipment and time. To defeat the cheap one wouldn't take more than a few thousand bucks. They could all be cracked with sufficient resources.
Instead, the firm bought a "solution" from a company that promised 100 percent safety. Barely six months later, one of the group's potential adversaries was on the phone asking what it would take to crack a computer system sounding surprising like theirs. We refused the job, but we could have done it for less than a roundtrip fare to the island!
Another client, a psychiatric clinic, keeps a lot of sensitive patient records on computer. When we made the installation, we were asked if we could guard the files from unauthorized eyes. We assured the director that, within his budget, we couldn't promise the moon. But we could promise that casual peekers would be stopped - and embarrassed, besides.
The scheme combined password protection, a computerized log of system activity, plus a lot more. It would hang up instantly if the caller was not using a specific brand-name product or didn't have one of several specific serial numbers or didn't have the correct concealed code word we'd matched to each serial number.
The Monday after installation, the office staff phoned. Their computer was telling them someone had tried to penetrate their files. We got over there and read the log, then made a few phone calls. Ten minutes later we moseyed into the director's office.
"We know what you were doing last night about half past midnight," we said. "You were sitting at your home computer trying to read your files in the office computer. But you forgot your password!"
All of a sudden, there are lots of devices being sold that promise computer security. Some work. Others are a waste of money. In upcoming columns we'll help you sort out what's cost-effective and what's not.