Date: Fri, 6 Oct 2017 23:45:25 -0400
From: Monty Solomon <firstname.lastname@example.org>
Subject: Researchers: Uber's iOS App Had Secret Permissions That
Allowed It to Copy Your Phone Screen
Researchers: Uber's iOS App Had Secret Permissions That Allowed It to
Copy Your Phone Screen
To improve functionality between Uber's app and the Apple Watch, Apple
allowed Uber to use a powerful tool that could record a user's iPhone
screen, even if Uber's app was only running in the background,
security researchers told Gizmodo. After the researchers discovered
the tool, Uber said it is no longer in use and will be removed from
The screen recording capability comes from what's called an
"entitlement" - a bit of code that app developers can use for anything
from setting up push notifications to interacting with Apple systems
like iCloud or Apple Pay. This particular entitlement, however, was
intended to improve memory management for the Apple Watch. The
entitlement isn't common and would require Apple's explicit permission
to use, the researchers explained. Will Strafach, a security
researcher and CEO of Sudo Security Group, said he couldn't find any
other apps with the entitlement live on the App Store.
Date: Sat, 7 Oct 2017 14:03:49 -0400
From: Bill Horne <bill@horneQRM.net>
Subject: CenturyLink to Service SMB Segment With Managed WiFi
Network Neutrality is no problem for Centurylink: the company will
allow its "SMB" "customers" to "prioritize" and "throttle" traffic
before it gets to the ILEC's wires.
- - - - - - - - - - - - -
Regional wireline operator and incumbent local exchange carrier
("ILEC") CenturyLink Inc. CTL is opting for managed WiFi services to
cater to the demands of small and mid-sized business (SMB) and to lure
more customers in this segment from cable TV operators and Competitive
local exchange carriers ("CLEC").
Based on Meraki technology of Cisco Systems Inc., the managed WiFi
platform will offer real-time monitoring and analytics in order to
enable enterprises to better connect with customers. Business
customers will be able to view their networks through Meraki's
dashboard. They can also prioritize and throttle priority and
nonpriority applications. Moreover, enterprises can use client- and
location-based analytics to better serve their client who are
connected to the network.
(Remove QRM from my email address to write to me directly)
Date: Sat, 7 Oct 2017 06:46:39 -0000 (UTC)
From: email@example.com (Rob Warnock)
Subject: Re: White House wants to end Social Security numbers as a
Monty Solomon <firstname.lastname@example.org> wrote:
| White House wants to end Social Security numbers as a national ID
| US government is examining the use of a "modern cryptographic
As noted in the comments of the referenced URL, a large part of the
problem is that people try to use the SSN as an *authenticator* (e.g.,
like a password) when it's actually only an identifier (e.g., user
name). Hence such oxymoronic phrases as "cryptographic identifier".
The *identifier* doesn't need any cryptography [except perhaps a MAC],
but the *authenticator* certainly does!
| "I believe the Social Security number has outlived its usefulness,"
| said Joyce...
Note that Medicare, which has historically uses SSNs as
identifiers, is already [well, early next year] rolling out a new
format for Medicare account numbers:
New Medicare cards are coming
Medicare will mail new Medicare cards between April 2018 and April
2019. Your new card will have a new Medicare Number that's unique
to you, instead of your Social Security Number. This will help to
protect your identity. See an example of the new Medicare card.
[Shows example new form ID: "1EG4-TE5-MK72".]
It's nice that they're decoupling from the SSN, but note that this is
still only an "identifier", with no additional authentication
 Historically one's Medicare ID number was one's SSN, suffixed with
a single letter that encoded a few bits of your account status.
E.g., if you started Medicare at age 65 but did not "retire" yet
[that is, did not start taking SSA benefits], your Medicare number
was of the form "000-00-0000-T". If you then later "retired", your
Medicare ID number would *change* from "000-00-0000-T" to
"000-00-0000-A" [assuming you were the primary SSA beneficiary].
[Yes, this happened to me!]
Other suffix letters encode other possible status:
What Do Those Extra Letters on Your Medicare Card Mean?
 That I can tell... There might be a check digit or two in there.(?)
Rob Warnock <email@example.com>
627 26th Avenue <http://rpw3.org/>
San Mateo, CA 94403
Date: Sat, 7 Oct 2017 19:30:57 +0000 (UTC)
From: firstname.lastname@example.org (Garrett Wollman)
Subject: Re: CenturyLink to Service SMB Segment With Managed WiFi
In article <20171007180349.GA29686@telecom.csail.mit.edu>,
Bill Horne <bill@horneQRM.net> wrote:
>Based on Meraki technology of Cisco Systems Inc., the managed WiFi
>platform will offer real-time monitoring and analytics in order to
>enable enterprises to better connect with customers. Business
>customers will be able to view their networks through Meraki's
>dashboard. They can also prioritize and throttle priority and
We've been using Meraki wireless for nearly as long as the company has
been around (disclaimer: Meraki was a CSAIL spinoff and gave us a very
steep discount on our initial deployment). I have found that their
application identification is informative, but unfortunately the
product lacks integration with IP differentiated services on the wired
side, so I decided not to try to use it for traffic prioritization.
The product uses a combination of shallow and deep packet inspection
and DNS snooping to identify applications, rather than just
protocols. I suspect that it also has lists of certain providers'
network blocks as well. If I look at my top-20 "applications" over
the past 24 hours, it tells me that they are:
1) SSH, 2) "Miscellaneous secure web", 3) "Apple file sharing" (local
backups), 4) Dropbox, 5) YouTube, 6) apple.com, 7) "UDP", 8) "Non-web
TCP", 9) "Miscellaneous web", 10) iTunes, 11) Facebook, 12) Google
HTTPS, 13) "Encrypted TCP (SSL)", 14) "Software updates", 15) Google,
16) Spotify, 17) "CDNs" (Content Distribution Networks), 18) iCloud
(Apple cloud backups), 19) Gmail, 20) "Miscellaneous video"
"Applications" 1, 2, 3, 7, 8, and 9 are easy to identify by shallow
inspection [TCP/22, TCP/443, TCP/548, UDP/(not 53 or 5353), TCP/(not
80 or 443), TCP/80]. The rest require some form of payload inspection
(either DNS snooping or actually looking for protocol handshakes
inside TCP connections). Streaming video can be semi-reliably
identified on the basis of interarrival times.
If I dig more deeply into the list, I can see which news sites my
users frequent, where they shop (I'm going to assume for
business-related purchases here), and what cloud and peer-to-peer
applications they use. As an operator of a university network, this
level of packet inspection doesn't bother me much (after all, I'm
already snooping on every packet that enters or leaves the network
anyway). As a residential customer, I'd be a bit more uncomfortable.
(And I know that my home ISP is almost certainly collecting similar
data on me to sell to advertisers without my consent.)
This sort of traffic analysis is now fairly routine and easy to do.
It is one of the justifications for DNScrypt, a proposed protocol for
clients to communicate with (non-ISP) resolvers without exposing the
content of queries, although it's not clear how much that buys you
given that for most applications, a DNS lookup is almost immediately
followed by an HTTP(S) connection which reveals the same information.
Garrett A. Wollman | "Act to avoid constraining the future; if you can,
email@example.com| act to remove constraint from the future. This is
Opinions not shared by| a thing you can do, are able to do, to do together."
my employers. | - Graydon Saunders, _A Succession of Bad Days_ (2015)
Date: Sat, 7 Oct 2017 12:26:36 -0700 (PDT)
From: HAncock4 <firstname.lastname@example.org>
Subject: Re: Verizon to discontinue legacy services across seven-
On Thursday, October 5, 2017 at 8:53:58 PM UTC-4, Bill Horne wrote:
> U.S. telecom behemoth, Verizon Communications Inc VZ is reportedly
> seeking permission from the U.S. telecom regulator Federal
> Communications Commission (FCC) to discontinue four legacy interstate
> DS0 services across parts of seven states. These legacy voice and
> low-speed data services are Voice Grade Service, WATS Access Line
> Service, Digital Data Service and DIGIPATH Digital Service II.
> The affected states include Delaware, Maryland, New England, New
> Jersey, New York, Pennsylvania and Virginia. Verizon has about 10
> wholesale customers and approximately 67 retail customers for these
> services in the affected areas.
What will happen to people who don't fibre service to their home?
Lots of places do not have it. Will they be forced to go over
to Comcast? In my area at least, Comcast is notoriously unreliable.
Date: Sat, 7 Oct 2017 21:42:21 -0400
From: danny burstein <email@example.com>
Subject: Google sending balloons to help PR phone service
[Al Jazeera. Live with it]
Google to use balloons for Puerto Rico phone service
Alphabet Inc is sending high-altitude balloons to provide phone service to
island devastated by Hurricane Maria.
Alphabet Inc, the company that controls Google, is sending special
balloons to Puerto Rico to help restore phone service after the island was
devastated by Hurricane Maria last month.
The US Federal Communications Commission said it had approved the
company's application to provide the emergency cellular service to Puerto
Knowledge may be power, but communications is the key
[to foil spammers, my address has been double rot-13 encoded]
End of telecom Digest Sun, 08 Oct 2017