my web 0.2 website

Andy Davidson\'s tech blog

Search

// archives

security

RSS feed for this section

This category contains 12 posts

If VoIP kills phreaking, who are tomorrow’s engineers?

By andy ⋅ October 29, 2007 ⋅ Post a comment

“Ma Bell is a system I want to explore. It’s a beautiful system, you know, but Ma Bell screwed up. It’s terrible because Ma Bell is such a beautiful system, but she screwed up. I learned how she screwed up from a couple of blind kids who wanted me to build a device. A certain device. They said it could make free calls.”

That’s a paragraph from an article linked to from Steve Wozniak’s website, which Steve describes as “The Article that changed history“. He is one of the most important engineers of our time, and like thousands more, he was driven to learn more and more about how computer systems interact, after snooping around telephone networks. The telephone system has always been a prime target for attack for two reasons – vulnerabilities have historically been well published, and telephony was so expensive that it was worth working out the ways to subvert the system and talk for free.

But what happens when talking across the world is so cheap that its not worth stealing any more? You may think this is an irrelevant point, calls from BT users to France are still 18.5p per minute, to New Zealand are still 31p per minute. But what if these calls to France were a penny a minute? Calls to New Zealand 1.4p a minute?

Well, they are now that price if you are a Localphone user. Does this mean no more Steve Wozniaks, young men driven to explore big networks so that they can use their skills to build something even bigger and better?

The first ‘Phreaks’ – the collective name for people who like to exploit vulnerabilities in the phone system found their skills by accident. A blind eight year old called Josef Carl Engressia discovered that he could stop a phone accounting for a call he was making by whistling a particular note in a long distance call. He’d accidently discovered the 2600Hz tone which signals to long-distance telephony kit that a user had hung the phone up.

Woz and Steve Jobs look at the Bluebox The later Phreaks like Steve Wozniak were more methodical, they took this learning and approached the exercise as engineers – phreaking was a learning experience – as Steve puts it, “The blue box year was 1972. Apple started in 1975. The biggest connection was some design tricks and techniques that I honed on the blue box.” Fooling around with the telephone drove innovation and learning for the early Apples.

The telephone system acted as a central point of interest for those interested in information security, and gave the movement focus. Whilst the 2600Hz trick no longer works, the number features in the name of the world’s most popular security journal, 2600 The Hacker Quarterly, which specialises in distributing information to IT personnel about improving their systems by demonstrating weaknesses in flawed systems. Again, without Phreakers would such openness and publicity for information security exist?
I admit that phreaks are not only motivated by the prospect of free telecoms, they are fascinated with the huge telephone network. I only ask if calls were as cheap as they are through services like Localphone, would so many engineers have found value exploring telephone systems, learning techniques to use in their later masterpieces.

I hope that tomorrow’s engineers will still explore telecoms. In fact, its easier today than before – downloading a free PBX like Asterisk means you nolonger need to be a criminal in order to explore how a telephone network interacts. VoIP networks have existed as islands within a corporation, or groups of interested people (e.g. the closed FWD system permitted free calls between friends on their network, no matter where they were in the world, but did not allow calls to route to other telephone networks, such as the one your mobile is connected to). Cheaper telecoms was our drive to build Localphone, so it can still act as a motivator for engineers to create something, its just that today you can have more fun doing this legally!

Disclaimer: the author is an engineer at Localphone.

Why Municipally Provided Wifi Must Never Be Allowed

By andy ⋅ September 5, 2007 ⋅ Post a comment

I have twice now had to defend an unpopular premise – that local governments should not provide free wifi to residents and visitors. A recent thread on the Open Rights Group discussion list almost got pretty out of hand between a few people who thought it was dangerous for the government to be providing IP services, and the majority who wanted it.

To provide “free” wifi to residents, a council must spend our money on many more items than simply wifi access points located in strategic points around the city. They need to provide onward connectivity (expensive), operational support, technical support, security systems, subscriptions to professional groups such as the IWF, monitoring and maintenance and much more. The council can’t afford to fix the pot-holes on my road, despite billing me each April on the promise of doing just that, so where will the money come from in order to pay or this infrastructure?

I also do not want the council competing with my local ISP. Government is not designed to compete with private enterprises. Turfing council tax paying employees out of work by competing with their employers is surely counter-productive.

I also don’t want the general public to be led to believe that internet access is free to provide. Its bad enough that Carphone Warehouse, Orange, and other companies are trying to their best to leave customers of ‘free’ broadband services with that theory without my local government joining in.

Some people believe that free municipal wifi could be a positive externality achieved when a city is ‘wifi’d’ for public sector employees to use when doing their job. I would love to see any cost/benefit analysis that demonstrated that the applications that drive our public sector are cheaper to run over ubiquitous wifi rather than store-and-forward messaging systems that take advantage of wifi at strategic points or 3G data connectivity. I then want to see the figures that suggest opening up a private local government network for public use wont cost any more money.

Then followed the argument that if local government can provide street-lights, then why shouldn’t they provide wifi using the same rationale. The problem with this logic is that streetlights and IP connectivity are not similar enough to compare. Street lighting is a public good; in economic terms, that means that we all are required to pay for it and we all get it, irrespective of our purchase preferences as free economic agents. People wouldn’t ‘buy’ street lighting in normal circumstances, even though there is a compelling reason to deploy it. Internet connectivity is not like this, where IP is useful, it is already widely deployed.

Firms need to fight in order to be the best at providing services, so that they can feed innovation and value. Consumers need to choose which service meets their needs the best. I would wager that you demand very different things from your domestic internet connection than I do. If I had to buy SheffieldCityBroadband (which I do have to buy, if I get taxed for its provision – tax is of course demanding money with menaces), it probably wont do what I need.
Free wifi isn’t free. Someone has to pay. And if that someone is the taxpayer, then why can’t we just pay “the best” private company in our area to provide the service. Perhaps I will be lucky and get two providers to fight it out to be the best!

Lastly, the concept of buying internet access from the Government is extremely frightening to me. Check out the content blocking section of the LINX Public Affairs site if you want some evidence that the government are desperate to filter our internet connections. If everyone buys their state-IP the government have a simple place to block our content!

Mastercard Securecode Rant.

By andy ⋅ August 5, 2007 ⋅ One comment

I ranted on the Ecommerce Experts mailing list earlier in the week after canceling an order on a cabling website, after it prompted me to enroll in Mastercard Securecode, with no way out.

My gripes are that

The general public should NOT be encouraged to enter their secret personal data at a checkout, in random popups. The commerce community should be sending the opposite signal; that filling in forms requesting private data on a random website is precisely how you get your identity stolen and used fraudulently !
The form looks like a XSS attack, not something genuine, so I have no way to work out whether it is genuine, or whether I am being phished.
The card may well be a company card, and not attributable to personal details.

I complained to the retailer and explained that I was not willing to order from them whilst they used and enforced securecode, and the retailer lied to me, explaining that they had no option but to use it, but that I could telephone through an order. I think they miss the point of e-commerce.

Please do not deploy Securecode or VBV on client sites. Please abort the transaction if you are prompted to enter your details on an untrustworthy third-party form during checkout online.

Was PGP Signing the first social network?

By andy ⋅ July 6, 2007 ⋅ One comment

I spent some time last night making some cards for the LugRadio Key Signing event. I’ve used pgp for a while (since 2001 – I am now on my second key) and have not worked on building up the number of signatures I had on my first key.

I understand that PGP works best with a ‘Web of Trust’, and it suddenly hit me – I think PGP key signing is the first online social network. It has many of the other features of Web 2.0 social networks :

A common interest (in this case, in security – just like music on last.fm)
A list of real people advertising a relationship (nomatter how tenuous – “I have verified your ID”)
It is published (keyserver network)

Wikipedia thinks that Classmates.com was the first social network, released in 1995. PGP was released in 1991. I’d be really interested if someone who knows whether the web-of-trust features were there in 1991 – perhaps please comment if I am wrong.

In any case, if you know me, and would like to sign my key – these are the details

andy@pringle:~ $ gpg –fingerprint CCBCBE9A
pub 1024D/CCBCBE9A 2007-02-06
Key fingerprint = 2B62 D54D CF4A 8093 5189 804E 8991 FF62 CCBC BE9A
uid Andy Davidson
sub 2048g/9002F1A8 2007-02-06

If I know you, I would be delighted to sign your key.

I use subkeys.pgp.net as my keyserver.

Powered by WordPress. Designed by Woo Themes