31 Years of the Digest ... founded August 21, 1981
The Telecom Digest for November 30, 2012
====== 31 years of TELECOM Digest -- Founded August 21, 1981 ======
Telecom and VOIP (Voice over Internet Protocol) Digest for the
Internet. All contents here are copyrighted by Bill Horne and
the individual writers/correspondents. Articles may be used in other
journals or newsgroups, provided the writer's name and the Digest are
included in the fair use quote. By using any name or email address
included herein for any reason other than responding to an article
herein, you agree to pay a hundred dollars to that person, or email address
Addresses herein are not to be added to any mailing list, nor to be sold or given away without the explicit written consent of the owner of that address. Chain letters, viruses, porn, spam, and miscellaneous junk are definitely unwelcome.
We must fight spam for the same reason we fight crime: not because we are naive enough to believe that we will ever stamp it out, but because we do not want the kind of world that results when no one stands against crime. - Geoffrey Welsh
See the bottom of this issue for subscription and archive details and the name of our lawyer, and other stuff of interest.
Date: Tue, 27 Nov 2012 01:32:33 -0500 From: Monty Solomon <firstname.lastname@example.org> To: email@example.com. Subject: Be careful what you share: How fraudsters use social media - and directory enquiries - to build an intimate picture of our lives Message-ID: <firstname.lastname@example.org> Be careful what you share: How fraudsters use social media - and directory enquiries - to build an intimate picture of our lives * 192.com, Facebook and LinkedIn revealed as most useful sites for fraudsters * Ex-offender reveals how he created fake profiles using a picture of an attractive woman to lure unsuspecting men By DAMIEN GAYLE 12 November 2012 Mail Online A new study has shown how fraudsters are able to use information shared online on social networks to build detailed profiles of potential victims. Researchers interviewed one ex-offender to find out the techniques he and others use to garner details from online sources enabling them to steal others' identities. He revealed that while users are often canny enough to withhold enough information on one site to foil fraudsters, resourceful crooks can collect enough data from various sources to apply for credit or make online purchases in their victim's name. ... http://www.dailymail.co.uk/sciencetech/article-2231257/Be-careful-share-How-fraudsters-use-social-media--directory-enquiries--build-intimate-picture-lives.html -or- http://tinyurl.com/blnv8lq
Date: Tue, 27 Nov 2012 01:36:00 -0500 From: Monty Solomon <email@example.com> To: firstname.lastname@example.org. Subject: Apple's robot operator knows when it's pushed you too far: Swearing gets you connected to a real-live human Message-ID: <email@example.com> Why Apple's robot operator knows when it's pushed you too far: Swearing gets you connected to a real-live human * Reddit users reveal dropping the 'F-bomb' can get you to an operator * Many companies monitor calls for signs of distress * But it may not help speed up your call - and it could even take LONGER By DAMIEN GAYLE 22 November 2012 Mail Online Try calling virtually any company these days and the chances are that you find it extremely tricky to speak to another human. Apple is no different, with their customer care line employing an automated system to ask questions, identify your problem and, as a last resort, put you through to someone who might be able to help. But now potty-mouthed tech fans have found a shortcut that can help callers bypass Apple's computer operator - dropping the F-bomb. Reddit user floppybutton explained how he lost his temper with the calm computer voice as he tried to order a spare part for his broken laptop. 'After exploring every option possible in the machine based list, I eventually got frustrated and used a few choice words that triggered something in the computer I was talking to,' he said. 'It cut itself off in mid-sentence, apologised, and in about 10 more seconds I was talking to an Apple tech.' ... http://www.dailymail.co.uk/sciencetech/article-2236832/Apples-robot-operator-knows-pushed-far-Swearing-gets-connected-real-live-human.html -or- http://tinyurl.com/cdfdymh
Date: Wed, 28 Nov 2012 11:49:18 -0800 From: "John Meissen" <firstname.lastname@example.org> To: email@example.com. Subject: rural phone calls often dropped Message-ID: <20121128194918.3EC9B17F74F@john> An article in the Addison County Independent talks about how rural phone customers suffer because long distance carriers will drop or misroute calls rather than pay the higher termination fees associated with rural providers. http://www.addisonindependent.com/201211despite-new-policies-rural-phone-calls-often-dropped I seem to recall a discussion a while back about abuses of these higher termination fees engineered to generate excess profits, but I don't remember any specifics. Perhaps some regulars here can point out where/how those abuses happened. john-
Date: Thu, 29 Nov 2012 16:07:21 +0000 (UTC) From: John Levine <firstname.lastname@example.org> To: email@example.com. Subject: Re: rural phone calls often dropped Message-ID: <firstname.lastname@example.org> > >http://www.addisonindependent.com/201211despite-new-policies-rural-phone-calls-often-dropped > > >I seem to recall a discussion a while back about abuses of these higher >termination fees engineered to generate excess profits, but I don't remember >any specifics. Perhaps some regulars here can point out where/how those abuses >happened. In this case, it's just what the article says, it's sleazy long distance companies accidentally on purpose dropping calls with high termination fees. The phone company they mention, Shoreham Telephone, was until recently family owned (my relatives sold it to a larger independent) and has the usual termination fees for rural LECs. The abuses you're remembering were some tiny rural phone coops in the midwest that let third parties install conference bridges and dialaround services to call China, thereby driving up their inbound minutes to the point that AT&T's termination fees went from about $20K/yr to over $1 million, which they refused to pay. That's not what's going on here, the calls are real calls to local subscribers. -- Regards, John Levine, email@example.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
Date: Wed, 28 Nov 2012 12:46:46 -0800 (PST) From: Mark Smith <firstname.lastname@example.org> To: email@example.com. Subject: Re: Calling Card Services Message-ID: <1354135606.66778.YahooMailNeo@web122305.mail.ne1.yahoo.com> I could not find the one I bought. This is the closest currently available: AT&T 1000-Minutes US & International Rechargeable PrePaid Phone Card Model#: 0060769805272 (32) No more surprises on your phone bill. Less than $0.06 for 1000 Minutes of U.S. state-to state calling. International rates are higher. In-state rates may be higher read Terms and Conditions below Online $18.71 Free shipping oneligible $45 orders with home free > On Tue, Nov 27, 2012 at 02:26:03PM -0800, Mark Smith wrote: > > I bought a 500 minute one at Walmart and it's never expired. > > I used it a lot until I started carrying a cell phone. > > Then my girl friend used it overseas through a government tie line. > > [It's like making a call from Hyattsville, MD so any long distance > > requires the card] > > > > Mark L. Smith > > firstname.lastname@example.org
Date: Thu, 29 Nov 2012 06:22:44 -0500 From: Michael Muderick <email@example.com> To: firstname.lastname@example.org. Subject: Calling Card Services Message-ID: <CAGhQzTq51O_OrGGk51o8oVceDAcN4H4qJXoNrreJq-YkS=+Zog@mail.gmail.com> I bought an ATT 100-minute card at Walmart about 5 years ago. It's still works. Never tried to recharge it...just didn't use it very much. -- Michael Muderick
Date: Wed, 28 Nov 2012 16:33:21 -0600 From: email@example.com (Robert Bonomi) To: firstname.lastname@example.org. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <3MadnUZqjtmsDCvNnZ2dnUVZ_t6dnZ2d@posted.nuvoxcommunications> In article <email@example.com>, Pete Cresswell <PeteCress@invalid.telecom-digest.org> wrote: >Telecom Digest Moderator said: >>The trick is to use easily-memorable pass-/*PHRASES*/ that won't be >>in anyone's dictionary. > >Somebody suggested the "Dead Pet System"... concatenate the names of >two dead pets and add digits to taste. > >- - >Pete Cresswell > >***** Moderator's Note ***** > >Since one of the most common "secret" questions that sites offer to >remember in order to help me recover a forgotten password is "What was >your first pet's name?", I have a couple of "virtual" pets and I use >those names, which can't ever be guessed. > >For sites that insist on knowning my father's middle name, or my >mother's maiden name, I have a couple of pseudonyms handy. The main >thing to remember is that anything which is in a public record is >/NOT/ secure. If they're used as answer to an unrelated question, the fact that it is in a public record is not particularly significant. e.g. using your birthday as answer for "your father's middle name". <grin> ***** Moderator's Note ***** If I enter "lamppoast-dezerte" as my father's middle name, instead of "Joseph", that's one less avenue for a cracker to take. Of course, it's better to have the password for the account tucked away in Password Safe ( http://passwordsafe.sourceforge.net/ ) so that I won't forget it, but for sites that demand an entry in such fields, it's always better to put in nonsense instead of "real" information. Bill Horne Moderator
Date: Wed, 28 Nov 2012 16:55:50 -0500 From: Pete Cresswell <PeteCress@invalid.telecom-digest.org> To: firstname.lastname@example.org. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <email@example.com> Per Thad Floryan: >Too many people are ignorant about passwords. The posts about decrypting passwords using either an enhanced PC or massive parallel processing are leaving me in limbo. They seem to beg the question of how the entity attempting to decrypt can tell if they have been successful. Not knowing anything else, I want to think that they would have to try each password that they compute - whatever means they use. But that seems to approach brute force - differing only in that they can come up with more possibilities in a shorter timeframe. I'm starting to think that there is something going on that some of the thread contributors take for granted but which other contributors (like me) don't have a clue about. It's as if somehow a given account's password can be computed reliably without having to try logging in to the account multiple times. gMail accounts, for instance. The reference to "password hashes" sounds like a handle to the part I'm clueless about. -- Pete Cresswell
Date: Wed, 28 Nov 2012 16:22:27 -0600 From: firstname.lastname@example.org (Robert Bonomi) To: email@example.com. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <FtqdnYezuog-EyvNnZ2dnUVZ_r6dnZ2d@posted.nuvoxcommunications> In article <P8qdna8PQYUctCjNnZ2dnUVZ_tCdnZ2d@posted.palinacquisition>, Frank Stearns <firstname.lastname@example.org> wrote: >"John C. Fowler" <email@example.com> writes: > >>Replying to Message-ID: <firstname.lastname@example.org> >>References: <email@example.com> > >>Pete Cresswell: >>> Can anybody comment on the specifics/methodology of this >>> improvement? > >>While there have always been people who have chosen weak passwords, >>even some of the stronger ones are starting to fall. The main reason >>for that is PCs are getting faster, and large numbers of systems that >>can work in parallel are becoming more available. That is, even if >>you don't control a botnet of other people's infected computers, you >>can still rent a bunch of virtual machines from Amazon or some other >>cloud service provider, and do your dirty work there at a fraction of >>what it used to cost. > >Forgive me for being ignorant, but doesn't the bad guy have to then try each >password variant s/he generates? > authoritative answer, "it depends." If the bad guy can get the stored encrypted password, and knows the encryption method, he can use his own code to encrypt and check for match -- without ever touching the 'real' system. 'Locking out' account access, even temporarily, makes it easy for the bad guy to do a 'denial of service' by trying passwords he knows are bad.
Date: Wed, 28 Nov 2012 18:19:19 +0000 (UTC) From: firstname.lastname@example.org (Garrett Wollman) To: email@example.com. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <firstname.lastname@example.org> In article <P8qdna8PQYUctCjNnZ2dnUVZ_tCdnZ2d@posted.palinacquisition>, Frank Stearns <email@example.com> wrote: >Forgive me for being ignorant, but doesn't the bad guy have to then try each >password variant s/he generates? It depends on the nature of the attack. You are describing what is known as an "online" attack, and these are relatively common -- if you have a thousand machines that all share the same passwords, a cracker can try millions of passwords a second in an online attack. But the sort of attacks we have been discussing are offline attacks: the cracker has gotten hold of something that either is encrypted using, or contains a cryptographic hash of, a password. These can be cracked completely offline, and the only limit is the computational resources required to test each guess. (In the case of the traditional Unix crypt() function, it's trivial to generate a "rainbow table" of all possible outputs for every (dictionary word, salt) pair, and then cracking is a simple matter of looking up the hashed value in the table to find the original password.) -GAWollman -- Garrett A. Wollman | What intellectual phenomenon can be older, or more oft firstname.lastname@example.org| repeated, than the story of a large research program Opinions not shared by| that impaled itself upon a false central assumption my employers. | accepted by all practitioners? - S.J. Gould, 1993
TELECOM Digest is an electronic journal devoted mostly to telecom- munications topics. It is circulated anywhere there is email, in addition to Usenet, where it appears as the moderated newsgroup 'comp.dcom.telecom'. TELECOM Digest is a not-for-profit, mostly non-commercial educational service offered to the Internet by Bill Horne. All the contents of the Digest are compilation-copyrighted. You may reprint articles in some other media on an occasional basis, but please attribute my work and that of the original author. The Telecom Digest is moderated by Bill Horne.
43 Deerfield Road
Sharon MA 02067-2301
bill at horne dot net
This Digest is the oldest continuing e-journal about telecomm- unications on the Internet, having been founded in August, 1981 and published continuously since then. Our archives are available for your review/research. We believe we are the oldest e-zine/mailing list on the internet in any category! URL information: http://telecom-digest.org Copyright (C) 2012 TELECOM Digest. All rights reserved. Our attorney is Bill Levant, of Blue Bell, PA.
Finally, the Digest is funded by gifts from generous readers such as yourself who provide funding in amounts deemed appropriate. Your help is important and appreciated. A suggested donation of fifty dollars per year per reader is considered appropriate. See our address above. Please make at least a single donation to cover the cost of processing your name to the mailing list. All opinions expressed herein are deemed to be those of the author. Any organizations listed are for identification purposes only and messages should not be considered any official expression by the organization.