Mar 31

War dialing” is the practice of automated sequential dialing of a block of numbers – it’s like portscanning for phones. Possibly the most classic example of this was from the movie War Games where Matthew Broderick’s character uses his computer (and an acoustic modem) to dial into the NORAD defense computer and play video games against “Joshua.”

I was on a call with a major vendor last week discussing some fairly sensitive roadmap stuff and realized that about 70% of all the dial-in conf calls we do with large companies don’t have any authentication to ensure we’re actually allowed to be there. They rely upon “security through obscurity” – basically it’s like reserving a conference room in a public place but not placing a lock on the door to control who can get in. I’m not advocating this shadiness but I can’t help but think about ways to exploit insecure systems. There’s unfortunately a significant opportunity for someone to take advantage of these open conference call lines. Here’s how:

  1. Create a list of the dial-in blocks for the top companies that use these open lines with no authentication.
  2. Write an app using something like Twilio that walks the # block on the hour (when most conf calls begin).
  3. When it finds one in progress, start capturing the audio. Obviously it shouldn’t announce a name when prompted or, if required, play back something non-descript like “Bob from corporate.” How many times have you been on a big call and thought nothing when new people ding’d in without announcing themselves?
  4. Index the resultant audio captures, add meta-data on where & when they were captured and sell the uber-sensitive ones on the black market in an IRC room.

Certainly some conf lines require that you enter the meeting number & passcode. But for the ones that don’t, be aware you’re leaving the door open literally for anyone to sit quietly in the corner on your conf calls and capitalize on the absence of security.

Jan 25

Wow so here comes a rant (and somebody call me on this if I’m way off) but I gotta throw a penalty flag on BofA. They just mailed my PIN number to the mailing address where my replacement debit card was sent. Does that seem hugely flawed to anyone else? They should perhaps consider changing their name because this security practice has more holes in it than a block of baby swiss. Let’s count them:

  1. I know what my PIN is, I’m the one who set it.
  2. The fact that they can even output my PIN number (which I don’t need because I already know) is not good. That means it exists in cleartext somewhere. Unless different password physics apply in the world of ATM’s and banking vs. web sites, it’s never a good idea to store a password in a form where it can be read by a human. You should only ever store a derivation and compare the hashes to one another.
  3. The fact they would then print this number (which they shouldn’t see and which I didn’t ask for) and put it in the postal mail seems pretty silly. They have no less than three alternate truly secure channels via which to send me this type sensitive info (voice, fax & inbox on the https site). You could argue they need a lowest common denominator means by which to reach everyone but in that case why not mail a note saying “stop by a branch store to set your PIN” instead?
  4. And here’s the final clincher: not only do they send a number they shouldn’t see and that I don’t need via a decidedly less-secure medium but they send it to the same destination where the asset that it unlocks is headed… really BofA That’s like mailing house keys to the street address of the house they unlock. What the heck are they thinking? I suppose they get a D- instead of a flat-out F for at least separating them into individual envelopes.

I would try calling and offering this input to their IT security folks but but frankly after navigating their hamstermaze of an IVR tree to cancel the stolen card, it takes less time for me to write this blog post and will probably reach that person faster.

BofA- not that I had a great deal of confidence in you before today but this practice is asinine. If you were an important web publishing company like Gizmodo with access to sensitive info like say… emails, you’d be no doubt skewered publicly over this. But alas you’re merely one of the largest financial institutions securing trillions of dollars of people’s money so this level of security is acceptable. Jeesh.

Can someone with a better security background chime in and critique this practice? Is it as flawed as it seems or am I overreacting here?

Oct 01

Security Theater” is a term coined by Bruce Schneier and refers to “security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security.” I got a taste of it today when one of the packages I sent last week was returned. We’re now sending out t-shirts to people that make us happy at JumpBox. Apparently stuffing two shirts in one of the pre-paid envelopes puts it over the 13oz limit for what’s safe to mail anonymously in the USA. May I point out:

  1. Wasn’t anthrax the scare awhile back? That’s a powdered substance that’s virtually weightless and therefore immune to this countermeasure.
  2. If letter bombs are the real threat, it takes a lot less than 13oz of c-4 to hurt someone. Again rendering this policy ineffective at blocking that threat.
  3. If a terrorist wants to mail an anonymous package over the weight threshold he/she can just make the return address the intended destination and it will get there (as I found out today when they returned my package to me). Oops I guess I just spilled the beans on how to defeat this silly security practice…

All this practice does is inconvenience people. Perhaps there is some value to the feeling of security it gives the public, but it’s false security just like the shenanigans we go through when we take our shoes off at the metal detector in the airport. And now that TSA employees are allowed to bypass screening themselves at the metal detector, that whole process has more holes in it than a block of baby swiss. Oh well, </end security rant>.

Jul 16

So I had my carpets cleaned today. A lot of these services won’t give you and exact time but instead give you a window of time and a phone call when they’re on their way. Anyways I was late meeting them and for 20min there was an unmarked white van idling infront of my house (why it was unmarked instead of advertising the carpet cleaning services, I have no idea). The short of it is that my neighbor was looking out for me and placed a call to the police about a suspicious van idling in front of my house for a long time seemingly “casing the place.” By the time the police arrived I had already met them, walked the carpet cleaners around, paid them and left telling them to exit on their own via the garage. Now here’s where it gets interesting. The dialogue that occurred moments later went something like:


CARPET GUY (calling me from his phone): "Hi Sean, can you talk to a police officer and let him know we're supposed to be at your house?"

OFFICER: "Hi I'm officer so-and-so, can you verify your address?"

ME: "Yes, it's xxxxx. How can I help you?"

OFFICER: Are these two men here supposed to be in your house? We had a call from your neighbor of a suspicious van idling for 20 min in front."

ME: "Oh yes, I was late blah blah, they're authorized to be there. Thanks for the call."

Now what’s interesting about this and what someone like Bruce Schneier would instantly point out is the faultiness of the authentication process used in this situation- at no point was there a reliable way to establish me as the true occupant. Think about it: if you were a wouldbe burglar trying to in this situation, all you’d need is to have a confederate on speed-dial that had been given the address you intended to rob ahead of time. The only true way to authenticate in this scenario is to either:

  1. reach me via a verified means that is already associated with the house (ie. officer looks up the phone number on record with the house and calls it) or
  2. have me come back and produce a key that unlocks the house or repeat the code over the phone that unlocks the garage (ie. something private that only the real occupant has access to) and then dismiss the alarm.

Having a random voice on the phone (from a call that the alleged perpetrator initiated) repeat back their present address doesn’t prove anything and yet doing just that gave me the ability to dismiss the officer.

And at the end of the day, I’m happy that my neighbor went out of his way to make the call. I’m happy the cop went out of his way to stop by and check with me over the phone. But I would point out that this is a highly flawed authentication scheme that can be exploited. Anyone authenticating something over the phone like this needs to think about the chain of certainty here. A very similar situation to this occurred to me recently where my bank called and asked me to verify account credentials to them over the phone- before doing anything I asked how I could know they were in fact my bank and not someone trying to get my account credentials? The lady thought I was crazy and couldn’t understand my concern. I made her give me a bank telephone number which I could verify on the contact page of their site and call back. And while, yeah it took a little longer, it’s the only sure way to authenticate in that situation. With identity theft as rampant as it is, people need to begin thinking this way.

Dec 19

vehicularThomasCrownePic.jpgWhat I’m proposing here is nothing short of the worldwide Vehicular Thomas Crowne Affair.

I hate photo radar. Hate it. And it’s not because occasionally I drive too fast and get a ticket. It’s because the city prostelitizes it as being a safety measure when in truth they’re using it purely as a revenue-generating tool. Last year in Scottsdale after only six months of installing speed cameras on the 101 highway, the city issued nearly $3MM in tickets… that’s just absurd. It didn’t make anyone drive slower. What it did was cause car accidents because inevitably some of the cars in traffic would hit the brakes as they approached the zones where they knew the cameras were. With a random fraction of the cars sporadically slamming on the breaks without warning, it’s no wonder that stretch of highway became one of the most dangerous in Arizona. Ultimately the City put an end to the experiment and pulled the cameras off the 101. Intersections throughout the Scottsdale still have red light cameras though, and the same problem exists- motorists become more concerned about avoiding a photo radar ticket rather than driving safely.

So if the challenge is how to defeat the photo radar cameras, you have a few options:

  1. You can obfuscate your license plate with a reflective spray or the little plastic shields that affix to your plate and make it difficult to read when the camera flashes. Those are banned in some states because they make it difficult to read the plate at night and worse for you the motorist and having one of will start you off on the wrong foot with an officer in the event you get pulled over.
  2. You can buy a radar and laser jammer to foil the speed-sensing mechanism on the units by disrupting the radio and light waves that bounce back and measure your speed. These devices are also illegal in some municipalities (especially if they employ active jamming techniques). Even if they are legal in your area, they too start you off on the wrong foot with a police officer.
  3. You could always get a paintball gun, be the defiant vigillante and goo up the cameras rendering them inoperable. This was actually happening in Scottsdale for awhile. Defacing city property however is against the law and this will get you fined if not thrown in jail when you’re caught. Plus it’s not a reliable or sustainable way to deal with the problem.
  4. You can accept the fact you’re getting ticketed and employ tactics like overpaying the fee to try and muck up the collection process once it’s issued. Also, because the ticket is not a certified, receipt-requested letter, you can ignore it and claim it never arrived. They will of course try to serve the ticket in person so be prepared to not answer your front door if you’re using this approach.
  5. Assuming that abolishing photo radar via policy is out of the question, you can get creative and think about the series of events through which these tickets get to you and approach the problem differently.

Think: How does the ticket find its way to you? the camera snaps the photo… someone has to look at the pictures and reference that plate number to a plate in the system… then that person mails the ticket to the address on file. Without physically altering your license plate to obscure it, how else could you make it difficult for that person to send the ticket? Simple:

Order a vanity plate with a bunch of characters that are confusingly similar in appearance.

vehicularThomasCrowne.jpgI just got my plate from AZ DMV and happily installed it this morning. It can still be read by the keen eye but from one of those crappy photo radar pictures it will be a non-trivial task to make out the characters. There aren’t many grey Tahoes in AZ that have a plate seemingly with all zero’s so with any amount of research effort the examiner could probably figure it out. But much like The Club causes enough of a nuissance to deter the would-be thief, this technique should cause the would-be photo examiner to pass over your ticket. And the more people that have plates with permutations of 0’s and O’s and D’s, the more difficult their task becomes: a veritable real life Vehicular Thomas Crowne Affair.

Is this civil disobedience? Perhaps. Is it a healthy thing to challenge the system when it sucks? You bet, especially when Scottsdale City Council has proven that all but one member is utterly incapable of performing their job (which should consist of listening to the citizens they supposedly serve and ensuring their concerns are addressed). You can go out and try methods #1-4 or you can abide by the current rule set, use your head and practice passive resistance. I propose the latter and suggest this tactic as a meme in order to send a message to the City of Scottsdale and other municipalities about how f’d up their financial printing press (ummm, I mean photo radar system) is. Research in Europe has already demonstrated that less signage, regulation and distraction makes drivers more aware of their surroundings and, consequently, more safe on the roads. The city needs to either admit that photo radar is a revenue-generating tool or do away with it. Period.

In Arizona getting a vanity plate takes $25 and all of about 5min to order online via this page on ServiceArizona.com. The plate arrives in the mail six weeks later and you swap it out. Done. You do have to specify the reason why you want that particular sequence of characters – I would suggest “Vehicular Thomas Crowne Affair.” Most plates have up to seven alphanumeric chars. Using O’s, 0’s and D’s there are a total of 2187 possible permutations for each state. Get your plate while it’s available! If you dig this technique, then digg this technique.

UPDATE 1/6/07: so this post has generated quite a local media frenzy while I was away on vacation. It made the Reddit homepage then was referenced from a Tribune article, TheNewspaper.com, and then yesterday Channel 3 and ABC Channel 15 interviewed me. I’ll be on KFYI talking about photo radar and the controversy of defeating it via this method and why I think it’s justified. I have not yet read the study on the 101 – if anyone knows where it can be found I would love to see the results and more specifically how it was conducted and how the researchers are interpreting the data. Call in to KFYI tonight at 7pm and chime in with your piece to take part in this discussion- I don’t see the phone # on their site but listen on AZ AM 550 and I’m assuming they’ll announce it. Thanks for everyone below who took the time to voice an opinion. From the comments below it’s clear that people have strong opinions one way or another and it should be a lively discussion.

LicensePlateOpEdarticle.jpgUPDATE 1/7/07: big thanks to Roberta Gale of KFYI for having me on her radio show last night. And here’s a salty op-ed piece from the Tribune. Betty Conklin clearly needs to switch to decaf and check her facts- a 16yr driving record with one ticket and one accident is hardly reckless.

This concludes the experiment. I registered the JumpBox vanity plate and will retire the OD00D0O plate when the new one arrives. It was never about evading the law or shrugging responsibility. It was about calling attention to photo radar and encouraging people to protest it. I have confirmed my suspicion before ever testing it on the road- the registration they issued me for my truck doesn’t even match the plate. It didn’t take photo examiner error for this technique to be effective- they err’d before the plate left ever the factory… Anyways, thanks for all the comments- I’m glad this experiment helped provoke some thought and stir people to consider some of the flaws with photo radar. It will be interesting to read the details of the independent study on the 101 photo radar safety survey when they finally publish it.

UPDATE 1/30/07- So this is the last update to this post- here is the new plate that arrived yesterday and has been swapped out for the 00DODO0 one – I’m happily sporting this one now but will consider changing to a new plate for all of ’07 for a six-digit sponsorship fee… ;-)

JumpBoxPlate.jpg

Here is the footage from the ABC “Good Evening Arizona” interview:



My favorite hate emails so far have been the ones where people say “what if someone is planning to commit a felony? You’re helping them get away.” Sorry, but which is more likely: that somebody planning to commit a serious crime will order a creative license plate then wait 6wks for it to arrive, or to just put duct tape over their plate and go do it? Oh crap I just told people how to put tape on their plate… c’mon people. I’m glad this experiment caused a stir and provoked some thought on the hypocrisy of photo radar. Aparently it made it all the way to Houston – sweet!

UPDATE 9/24/08: So the company behind the photo radar in Phoenix (Redflex) is more evil than I originally imagined. Apparently now they’re implementing active scanning of license plates of every vehicle that passes through one of their cameras, OCR’ing the plate and comparing it against a police database (cue Minority Report music).

preload preload preload