31 Years of the Digest ... founded August 21, 1981
The Telecom Digest for November 28, 2012
====== 31 years of TELECOM Digest -- Founded August 21, 1981 ======
Telecom and VOIP (Voice over Internet Protocol) Digest for the
Internet. All contents here are copyrighted by Bill Horne and
the individual writers/correspondents. Articles may be used in other
journals or newsgroups, provided the writer's name and the Digest are
included in the fair use quote. By using any name or email address
included herein for any reason other than responding to an article
herein, you agree to pay a hundred dollars to that person, or email address
Addresses herein are not to be added to any mailing list, nor to be sold or given away without the explicit written consent of the owner of that address. Chain letters, viruses, porn, spam, and miscellaneous junk are definitely unwelcome.
We must fight spam for the same reason we fight crime: not because we are naive enough to believe that we will ever stamp it out, but because we do not want the kind of world that results when no one stands against crime. - Geoffrey Welsh
See the bottom of this issue for subscription and archive details and the name of our lawyer, and other stuff of interest.
Date: Tue, 27 Nov 2012 08:58:14 -0500 From: Monty Solomon <email@example.com> To: firstname.lastname@example.org. Subject: New York City Police Amassing a Trove of Cellphone Logs Message-ID: <email@example.com> City Is Amassing Trove of Cellphone Logs By JOSEPH GOLDSTEIN November 26, 2012 When a cellphone is reported stolen in New York, the Police Department routinely subpoenas the phone's call records, from the day of the theft onward. The logic is simple: If a thief uses the phone, a list of incoming and outgoing calls could lead to the suspect. But in the process, the Police Department has quietly amassed a trove of telephone logs, all obtained without a court order, that could conceivably be used for any investigative purpose. The call records from the stolen cellphones are integrated into a database known as the Enterprise Case Management System, according to Police Department documents from the detective bureau. Each phone number is hyperlinked, enabling detectives to cross-reference it against phone numbers in other files. The subpoenas not only cover the records of the thief's calls, but also encompass calls to and from the victim on the day of the theft. In some cases the records can include calls made to and from a victim's new cellphone, if the stolen phone's number has been transferred, three detectives said in interviews. Police officials declined to say how many phone records are contained in the database, or how often they might have led to arrests. But police documents suggest that thousands of subpoenas have been issued each year, with each encompassing anywhere from dozens to hundreds of phone calls. For example, T-Mobile, which has a smaller market share than some of its competitors, like Verizon, fulfilled 297 police subpoenas issued in January 2012, according to a police document. ... http://www.nytimes.com/2012/11/27/nyregion/new-york-city-police-amassing-a-trove-of-cellphone-logs.html
Date: Mon, 26 Nov 2012 23:12:09 -0500 From: danny burstein <firstname.lastname@example.org> To: email@example.com. Subject: more domain seizures by ICE Message-ID: <Pine.NEB.firstname.lastname@example.org> [press release] WASHINGTON - U.S. Immigration and Customs Enforcement's (ICE) Homeland Security Investigations (HSI), law enforcement agencies from Belgium, Denmark, France, Romania and the United Kingdom, and the European Police Office (Europol) seized 132 domain names today that were illegally selling counterfeit merchandise online to unsuspecting consumers. ======== rest: http://www.ice.gov/news/releases/1211/121126washingtondc.htm _____________________________________________________ Knowledge may be power, but communications is the key email@example.com [to foil spammers, my address has been double rot-13 encoded]
Date: Mon, 26 Nov 2012 22:06:16 +0000 (UTC) From: firstname.lastname@example.org (Garrett Wollman) To: email@example.com. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <firstname.lastname@example.org> In article <email@example.com>, Pete Cresswell <PeteCress@invalid.telecom-digest.org> wrote: >Per Monty Solomon: >>The ancient art of password cracking has advanced further in the past >>five years than it did in the previous several decades combined. > >Can anybody comment on the specifics/methodology of this >improvement? A consumer-grade PC with a few gamer-grade video cards can crack an eight-character password in less than a day. Of course, this will depend on how the password is protected; I believe that number is for weak cryptographic hashes such as MD5, which is used in HTTP Digest authentication and numberous other protocols. There's a growing literature of password-strengthening algorithms, which aim to make even shorter passwords stronger by increasing the computational difficulty of checking for a valid crack. -GAWollman -- Garrett A. Wollman | What intellectual phenomenon can be older, or more oft firstname.lastname@example.org| repeated, than the story of a large research program Opinions not shared by| that impaled itself upon a false central assumption my employers. | accepted by all practitioners? - S.J. Gould, 1993
Date: Tue, 27 Nov 2012 00:40:49 -0500 From: Monty Solomon <email@example.com> To: firstname.lastname@example.org. Subject: Another blow for state's anti-eavesdropping law Message-ID: <email@example.com> Another blow for state's anti-eavesdropping law By MICHAEL TARM Associated Press / November 26, 2012 CHICAGO (AP) - The U.S. Supreme Court on Monday delivered another blow to a 50-year-old anti-eavesdropping law in Illinois, choosing to let stand a lower court finding that key parts of the hotly debated law run counter to constitutional protections of free speech. In that critical lower-court ruling in May, the 7th U.S. Circuit Court of Appeals found that the law - one of the toughest of its kind in the country - violates the First Amendment when used against those who record police officers doing their jobs in public. Civil libertarians say the ability to record helps guard against police abuse. The law's proponents, however, say it protects the privacy rights of officers and civilians, as well as ensures that those wielding recording devices don't interfere with urgent police work. The Illinois Eavesdropping Act, enacted in 1961, makes it a felony for someone to produce an audio recording of a conversation unless all the parties involved agree. It sets a maximum punishment of 15 years in prison if a law enforcement officer is recorded. As it drew the ire of civil liberties groups, state legislators endeavored to soften the law earlier this year, but those efforts stalled. The high-court's decision could prompt a renewed push to overhaul it. ... http://www.boston.com/news/nation/2012/11/26/another-blow-for-state-anti-eavesdropping-law/e0PPFIIdGj0NMOtxOfEcnN/story.html
Date: Tue, 27 Nov 2012 01:15:22 -0800 From: Thad Floryan <firstname.lastname@example.org> To: email@example.com. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <50B484AA.firstname.lastname@example.org> On 11/26/2012 6:42 AM, Pete Cresswell wrote: > Per Monty Solomon: >> The ancient art of password cracking has advanced further in the past >> five years than it did in the previous several decades combined. > > Can anybody comment on the specifics/methodology of this > improvement? > > - - > Pete Cresswell > > ***** Moderator's Note ***** > > It has become easier to "crack" passwords by guessing them: samples of > passwords entered by users show that user are prone to using the names > of relatives, pets, or objects in their immediate vicinity when they > have to enter a new password. Common substitutions, such as using > "leet speek", a patois once popular with the online hacking community, > are also included in the lists used for "dictionary" attacks. Too many people are ignorant about passwords. There's an interesting article in the December 2012 issue of WIRED (page 180) entitled "HACKED" but I couldn't find an URL of it (yet). Another article by the same author is here: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/ The December 2012 article has many errors of fact (e.g., concerning the computer systems at MIT, etc.) but there are some good suggestions/tips that people should abide, the most important of which is NOT to use the same password for more than one service or system. A good friend [Mark Crispin (author of the email IMAP RFC and many others)] whose bio is here: http://en.wikipedia.org/wiki/Mark_Crispin once confided in me that he used the same password on some 50+ systems including BBS systems where the passwords were stored in plaintext and his BBS password was used by an unscrupulous SYSOP to get into many of the other systems to Mark's extreme discomfiture.
Date: Tue, 27 Nov 2012 11:36:08 -0500 From: Bill Horne <bill@horneQRM.net> To: email@example.com. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <20121127163608.GA25806@telecom.csail.mit.edu> On Tue, Nov 27, 2012 at 01:15:22AM -0800, Thad Floryan wrote: > A good friend ... once confided in me that he used the same password > on some 50+ systems including BBS systems where the passwords were > stored in plaintext and his BBS password was used by an unscrupulous > SYSOP to get into many of the other systems to [his] extreme > discomfiture. The usual rules apply: things that cost more need better protection. If you use a weak password for your online banking, you'll get bitten sooner or later, but even a strong password is no guarantee of safety if you don't review the account regularly of if you keep more money in it than you can afford to lose. The problem with passwords is that they are, in effect, a "feel good" process, akin to the TSA: they are what Bruce Schneier calls "security theater". Password-based authentication was implemented to prevent time-sharing users from denying how much time they spent using someone else's computer, and only later came to be used as a way to "protect" users' data: passwords have always been a limited technique that is used only because there isn't anything better that computer owners are willing to adopt without external pressure being brought to bear. Actually securing information from prying eyes is a lot harder than what most companies and/or users are willing to pay for. Two or three-factor authentication is just too complicated for the average user, and too expensive for firms to justify: when an online marketer is working on a two to five percent markup, every second of the IT staff's time is going to be committed to increasing sales, not to protecting data. The data, bluntly put, isn't their problem: the cost of the loss of a social-security or credit-card number is externalized onto the customers, most of whom don't have the ability to take legal action following an attack. The only effective drivers for improved security are insurance underwriters and governments, and (as Schneier pointed out years ago) they are likely to drive changes in security for the same reasons that they drive effective alarms in banks, night watchmen at high-value targets, etc.: i.e., they are people left holding the bag when too-big-to-deny disasters strike. The insurance industry is a driver because it's the ultimate loser in any major hack, and they are the only group that has the political and societal muscle needed to force change. That's why there are airbags in cars, and that's why there is an Underwriters Laboratories seal on the electrical panel in your home: the cost of failure is too high to bear, and too visceral for any politician to ignore. When there's a major computer attack that costs a lot of wealthy people a lot of money (think triple-witching-days on Wall Street), then we'll all be signing on with smart cards after retina verification. In the meantime, we have passwords. Bill -- Bill Horne (Remove QRM from my address to write to me directly)
Date: Mon, 26 Nov 2012 08:09:17 -0800 (PST) From: "John C. Fowler" <firstname.lastname@example.org> To: email@example.com. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <1353946157.50354.YahooMailClassic@web163906.mail.gq1.yahoo.com> Replying to Message-ID: <firstname.lastname@example.org> References: <email@example.com> Pete Cresswell: > Can anybody comment on the specifics/methodology of this > improvement? While there have always been people who have chosen weak passwords, even some of the stronger ones are starting to fall. The main reason for that is PCs are getting faster, and large numbers of systems that can work in parallel are becoming more available. That is, even if you don't control a botnet of other people's infected computers, you can still rent a bunch of virtual machines from Amazon or some other cloud service provider, and do your dirty work there at a fraction of what it used to cost. Encryption that was fine a few years ago is now no longer considered acceptable. However, companies have not bothered to update their encryption, as customers are not demanding it. (Saying "Of course our passwords are encrypted!" is good enough for most people.) Many of the recent password breaches, while encrypted, have turned out not to be encrypted very well by modern standards. Your best strategy is to just use different passwords at different sites, so compromise of one will not lead to compromise of all. Even if you have a really strong password, you shouldn't use it everywhere. John C. Fowler, firstname.lastname@example.org
Date: Mon, 26 Nov 2012 13:04:39 -0600 From: email@example.com (Robert Bonomi) To: firstname.lastname@example.org. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <xbKdnYbPbIbaIC7NnZ2dnUVZ_hKdnZ2d@posted.nuvoxcommunications> In article <email@example.com>, > >***** Moderator's Note ***** > >Let me get this straight: do they mean that changing my els to ones >and my o's to zeroes doesn't keep me safe anymore? On the off-chance that that is not a Rhett-orical question -- 'standard' hacker technique for 'dictionary'-based attacks has included such spelling 'variations' for AT LEAST A DECADE.  A question one asks, but "frankly my dear, don't give a damn" about the answer to. ***** Moderator's Note ***** It was not Rhett-orical. It was Puckish. Everyone knows that Using *ANY* dictionary word as a password is an invitation to attack. What many users don't know is that hacker dictionaries have all the common variants in them, such as putting an exclamation point at the end of a word. The trick is to use easily-memorable pass-/*PHRASES*/ that won't be in anyone's dictionary. Bill Horne Moderator
Date: 26 Nov 2012 19:33:35 -0500 From: firstname.lastname@example.org (Scott Dorsey) To: email@example.com. Subject: Calling Card Services Message-ID: <firstname.lastname@example.org> I just received a letter in the mail telling me that due to changes in their billing system, Credo will no longer be able to provide calling card services past Dec 31. I find the calling card very useful and use it a lot, but in bursts. Does anyone have any suggestions for other providers for calling cards? I find purchasing prepaid phone cards at the corner bodega is not worth the trouble since they often go out of date before I use them. I'll make a lot of calls when I'm on travel but it can sometimes be three or even six months between trips. --scott -- "C'est un Nagra. C'est suisse, et tres, tres precis."
Date: Tue, 27 Nov 2012 00:54:35 -0500 From: Monty Solomon <email@example.com> To: firstname.lastname@example.org. Subject: Cambridge's Bluefin Labs decodes social media chatter Message-ID: <email@example.com> Cambridge's Bluefin Labs decodes social media chatter Facebook users "like" things 2.7 billion times a day. People share their opinions more than 500 million times daily on Twitter. Now, this start-up is betting it can change everything from product placement to how we elect our president. By Neil Swidey NOVEMBER 25, 2012 IN THE 1930S AND '40S, Hollywood had a way of tracking the popularity of its movie stars. Studios would sift through the quarter of a million or so fan letters that arrived each month and sort them into separate bags by actor name. Then studio employees would heave these bulging bags onto a scale, according to industry researcher Leo Handel. A big spike in weight meant the star was trending up. A sharp decline suggested the star was on the way to becoming yesterday's news. As measurements go, this was pretty crude. Even back then, the people who would take the time to write a letter represented a tiny subset of the population, usually teenagers motivated by an excess of adoration (or antipathy). So, in time, movie executives would follow the lead of their counterparts in radio, television, and advertising and adopt the techniques of opinion research to understand what their audiences wanted. The push toward data collection in television brought us Nielsen families, those chosen few whose living room diaries and, eventually, People Meters were powerful enough to keep their favorite shows on the air. And it brought us the ubiquitous focus group, where a dozen unhurried souls would be steered into a conference room and, in exchange for 50 bucks and all the M&M's they could eat, be asked to render a verdict on a new program. Yet it hasn't always been clear how much we've gained from this relentless pursuit of audience preferences. High Nielsen ratings - scores that were extrapolated from just several thousand households - kept shows like Three's Company and The Love Boat on the air long past their sell-by dates. And I've been suspicious of the focus group ever since the seventh grade, when on a trip to New York I somehow got shanghaied into testing a sitcom starring Harold Gould as a skirt-chasing widower. Against the heated objection of this 13-year-old out-of-towner, CBS went ahead and aired Foot in the Door in 1983, though the network thankfully mercy-killed it after just six episodes. What's the point of market research if it regularly leads to doozies like that? We might as well bring back the fan-mail scales. Thanks to social media, thousands of fan letters and complaint missives, huzzahs and boos, are now being written every single minute. Twitter alone processes half a billion tweets each day. But there are problems. As with those letter-writing fans of the past, today's social media commenters skew young. And right now, the most common methods for tracking their views resemble the "trending by weight" measures the old studios favored: Multiple firms tally all mentions of a TV show or movie made on social media, then report grand totals across general categories. This is useful only to a point. Twitter, Facebook, and other services have already transformed media from a one-way conversation into a democratized, constantly churning feedback loop. In time, social media hold the promise of exercising enormous influence over everything from the shows we watch on TV to the toothpaste we buy in the supermarket to the politicians we send to Washington. "Social TV" and the "second screen" experience - watching the TV set while cradling a smartphone or tablet - may even rescue live television viewing from the dustbin into which the DVR has swept it. Yet the only way any of this is going to happen is if somebody can reliably convert all that online chatter into meaningful information. After all, if someone tweets "the office is making me cry," is that person referring to a particularly poignant episode of the NBC comedy or a hostile workplace? Even more difficult is discerning sentiment. Are most of those millions of mentions about your show praising it or panning it? And what if the name of the show isn't even mentioned? Making those kinds of interpretations are easy for humans yet exceedingly difficult for computers. But they're learning. A Cambridge start-up called Bluefin Labs is marrying the computational power of machines with the interpretive guidance of humans to make sense of - and profit from - the fire hose of nonstop social media. The company's work builds on the research of its two cofounders, MIT guys who have dedicated their professional lives to teaching machines to understand human language. Now they are using that knowledge to teach machines to understand what we really mean when we tweet or post about everyone from President Obama to Honey Boo Boo. The outcome just may be as important to the president as it is to that cringe-worthy pint-size product of reality TV. ... http://www.bostonglobe.com/2012/11/25/cambridge-bluefin-labs-decodes-social-media-chatter/SLDp9nflJK0tFQKBPuVZhP/story.html?s_campaign=8315 Bluefin Labs: Decoding online chatter http://bostonglobe.com/lifestyle/style/2012/11/21/bluefin-labs-the-social-media-eavesdroppers/caE7V0V26bZXBXU9vLPcDM/story.html?s_campaign=8315 ***** Moderator's Note ***** Ascertaining the "true" message content of millions of online missives won't mean anything until, and unless, Bluefin can ascertain the true identity of the senders. Until the company is able to identify end-users and screen out hype-bots, they're just another scale to put the bags on. Bill Horne Moderator
TELECOM Digest is an electronic journal devoted mostly to telecom- munications topics. It is circulated anywhere there is email, in addition to Usenet, where it appears as the moderated newsgroup 'comp.dcom.telecom'. TELECOM Digest is a not-for-profit, mostly non-commercial educational service offered to the Internet by Bill Horne. All the contents of the Digest are compilation-copyrighted. You may reprint articles in some other media on an occasional basis, but please attribute my work and that of the original author. The Telecom Digest is moderated by Bill Horne.
43 Deerfield Road
Sharon MA 02067-2301
bill at horne dot net
This Digest is the oldest continuing e-journal about telecomm- unications on the Internet, having been founded in August, 1981 and published continuously since then. Our archives are available for your review/research. We believe we are the oldest e-zine/mailing list on the internet in any category! URL information: http://telecom-digest.org Copyright (C) 2012 TELECOM Digest. All rights reserved. Our attorney is Bill Levant, of Blue Bell, PA.
Finally, the Digest is funded by gifts from generous readers such as yourself who provide funding in amounts deemed appropriate. Your help is important and appreciated. A suggested donation of fifty dollars per year per reader is considered appropriate. See our address above. Please make at least a single donation to cover the cost of processing your name to the mailing list. All opinions expressed herein are deemed to be those of the author. Any organizations listed are for identification purposes only and messages should not be considered any official expression by the organization.