Slashdot Mirror

Did you read the summary? AT&T happily rerouted his text messages, including security codes for use in two-factor authentication, to thieves who stole his cryptocurrency.

You can say "oh SMS two factor isn't secure" all you want, and there ARE ways it's insecure, but none of those ways mattered here because AT&T turned over the phone number to an unauthorized party!

Uh, the *primary* way SMS 2FS is insecure is 'SIM-swap fraud'. Here is an article from almost 5 years ago about the problem as it existed/exists where I currently live: https://mybroadband.co.za/news...

From the article:

A SIM swap typically happens using the following methods:
* Using identity theft to convince a SIM swap assistant that they are dealing with the account holder; and
* Stealing passwords from employees at the mobile operators or mobile dealers.

Telcos need to do a better job of customer authentication. At the ISP I used to work for, our new customer service portal required call centre agents to authenticate the customer by selecting the correct values (from the correct one value, and 4 random fictitious ones generated from a list of customer information we generated, presented in random order, and all masked so that only partial values are visible to the agent) for 4 out of 5 customer details (e.g. cellphone number, email address, physical address, national ID number, account number) in 2 attempts before the agent would be able to do anything on the customer's account. If the 2nd attempt failed, it would be logged, and if 2 failures were logged in 48 hours, a security ticket would be opened automatically. We were planning on adding an additional level of opt-in authentication for security-conscious customers. Escalation staff were able to bypass the customer validation, but they had to provide a reason (e.g. escalation ticket number), and this was also logged and reviewed by their managers.

Our system as-is would prevent/limit the 2nd method to perform sim-swaps listed above, but without the additional enhancements that were planned wouldn't have prevented the first one from being viable by well-prepared attacker.

Mobile operators really can do a much better job here, but they don't want the additional staff costs that would result from changes to these processes.

In South Africa, there have been a lot of cases of what is referred to here as 'SIM-swap fraud'. It seems that there are syndicates operating that have accomplices who have:
- sufficient access to bank customer information for social engineering to re-set or change internet banking passwords and get the customers cell-phone number
- access to perform a SIM-swap of the victim's number, so that they can approve actions such as adding beneficiaries, change transaction limits while also preventing customers from receiving notifications of activity on their account

So securing SS7 is not the only stwp required to fix SMS as a 2nd factor.

Here is a recent case of a customer losing about $20 000 this way: https://mybroadband.co.za/news...

Google searches for "SIM-swap fraud" turn up reports from the UK and other European countries.

Wow it took me all of 4 seconds to Bing it and it was the very first result...maybe you should try a different search engine once in a while?

Consider a little town in Texas who's name I cannot recall (talking population in the hundreds).

It was probably South Africa, although it wouldn't surprise me if there were multiple examples of this.

There was a case like this in South Africa, regarding cell towers.

http://idle.slashdot.org/story/10/01/15/1516245/tower-switch-off-embarrasses-electrosensitives
http://mybroadband.co.za/news/Wireless/11099.html/

Yeah, and I'll remark people seem to be forgetting the word "prototype".

And this looks pretty classy for a prototype!

http://mybroadband.co.za/news/...

Looking over the criticisms: I see a lot of "edge case tweaks", but not thing fundamentally show-stopping. So if you give this all a bit of a forward-future roll, let's try a few ideas:

1. Keyboard vs Mouse.
Keyboards "tend to be wide". Sure, modern designers found some ways to use that bottom layer well. But computer mice *do* seem to have a fair amount of "dead space" while the thing "embiggens" itself to fit your hand ergonomics. So at least partially using that space cleverly is interesting.

2. "Gaming rage & throwing mouse to wall" and "how do you clean it". Just suppose the design has one layer with the comp "in a removable box" aka a square chunk of the hardware. Yes, it happens to sit in the mouse housing, and there's a few wires in there, but just make the super expensive core removable.

3. Keyboards.
To me it's less of a finicky point of mouse contour shape vs keyboard dynamics. So shove the comp stuff into the mouse, and then people can just buy their favorite keyboards. Notice this includes roll-up ones.

4. HDMI cable.
This is where I want to "roll the future forward". We're also pretty close to "monitor goggles", that look to the eye like a 20+ inch screen. Then have the mouse-comp communicate the signal wirelessly. Nothing stopping the goggles from having a co-processor, like they used to do for arcade machines. I've always wanted to do "computing in thin air". So with just a mouse, roll up keyboard, and goggles, your entire comp fits into a small backpack!

I'm a South African and most of my friends and family use WhatsApp. In South Africa, as in many other developing countries, SMS text messages are expensive and WhatsApp is used to save costs. BlackBerries are also (still) popular here - free BBM was a main reason for its popularity. WhatsApp's cross-platform capability (iOS, Android, BB and even Symbian) makes is a very attractive option.

Please see the article below:
http://mybroadband.co.za/news/...

Er, just a second here. I live in South Africa, which has recently been proven to be one of the most expensive countries in the world for broadband. [source: http://mybroadband.co.za/news/broadband/93895-broadband-price-per-mbps-shocker-for-south-africa.html%5D. No matter your provider in USA, I believe it's still a damn sight cheaper there than it is here. Count yourselves lucky!

Unfortunately this actually does happen in South Africa http://mybroadband.co.za/news/security/94614-website-security-flaws-in-sa-shooting-the-messenger.html

This is not the first time D-Link have been caught doing stuff like this, and the DNS attack is exactly what happens when the bad guys find out.
This was a big issue here in South Africa a few months ago. Telkom (the local state owned incompetent telco) were selling approved DLink modems with helpful extra admin accounts (username: support password: support was one I saw) which suddenly started redirecting traffic to interesting locations.

http://mybroadband.co.za/vb/showthread.php/553957-City-of-Joburg-security-issue-everyone-can-see-all-customers-statements?p=11014501&viewfull=1#post11014501
"Hi all, I have yet to get contacted by CoJ or anyone else responsible/concerned about my initiative to help close the data-leak. As far as I am concerned I have not done anything illegal and have not been charged or accused of having conducted anything illegal. The CoJ certainly makes it out that the customer invoices were accessed in an sophisticated and malicious hack. I did elaborate this to the press and while all of you understand exactly what happened it is still astounding that CoJ attempts to bury the real story instead of taking accountability for what actually happened. Although this incident is presented as an attack, Google managed to index the tax-invoices dating back to February 2013 and all information circulating in the press (such as the mentioned SANRAL tax invoice) have been publicly available via a simple Google search, prior to my discovery on 20th August 2013. The CoJ claims of a hack are simply rubbish and any person with an internet connection would have been able to view the same information. There is ZERO IT-skill required to change an invoice number in a web-address. I am not going to worry about any criminal or civil charges and a team of lawyers is ready to deal with those should that situation arise. It is quite shocking to see how the media reported on this issue despite having had many witness accounts and solid evidence at hand. In my opinion it should have never gotten to the point that this situation is now all over the news, had the CoJ acted responsibly and shown accountability and prompt resolve. I think MyBroadband has managed to capture the actual events very accurately and I appreciate all the support, PM's and phone-calls I have received over the last few days. As a rate- and tax-payer it is our civic duty to ensure that our resources are managed in a responsible way and it is quite an embarrassment that our leaders (which we pay via our taxes) show zero interest in serving their residents - if they did, we would not sit with the number of threads and misinformation currently being pedalled to save face. The newspapers equally act irresponsibly by printing anything being said without having verified actual facts (which are readily available) and as such are not improving the situation. As a CoJ resident I am ashamed to life in a city where their representatives lie and misinform to cover up incompetence and shy away from their own accountability."

16:10 was the standard before the industry decided that 16:9 is actually cheaper to produce http://mybroadband.co.za/news/hardware/17621-widescreen-monitors-where-did-1920x1200-go.html http://www.displaysearch.com/cps/rde/xchg/SID-0A424DE8-28DF6E59/displaysearch/hs.xsl/070108_16by9_PR.asp

The East African SEACOM cable has been having outages lately; they posted an outage notification due to a cable break off the Egyptian coast at 08:40 UTC yesterday (March 27th, 2013). Of course, this has been having knock-on effects: for instance, many South African ISPs use this cable as their primary international link, and have had to fall over to secondary links resulting in significant service degradation.

Co-incidence? Perhaps, perhaps not...

And here is the source since I forgot the link.

To be fair, there are a group of people who claim to be ridiculously, rabidly, anti-RF anything, even allergic to Wi-Fi, and well beyond logic to the point of hysteria. And there are other people who have learned to echo similar baseless and ludicrous claims to oppose any political or technological changes they don't like when those changes involve RF.

One of the more dramatic cases of this happened a few years ago in Craigavon, South Africa. There was a group of people living in the town who came down with mysterious headaches and ailments and rashes immediately after an iBurst tower was erected in the town and was powered up. They claimed their problems subsided within minutes or hours after leaving the vicinity of the tower, and that their symptoms weren't fully gone only until after a full month away from the tower.

The townspeople held some protests, and eventually a meeting was arranged with the CEO of iBurst. At the meeting he agreed to work with the town to turn off the tower to see if that would help their symptoms go away. He also informed them that they were receiving a dose less than one ten-thousandth of the international safety standards for cell tower emissions, and that their tower was incapable of causing the problems they were complaining of. Yet the townspeople still stood up in front of the meeting and listed off their ailments, and offered the various proofs that their symptoms went away as soon as they left the area of the tower. But what the townspeople weren't told until after the meeting is that the tower had actually been switched off as a result of their first protests, and had remained powered off for over six weeks prior to the date of the meeting itself; this fact was confirmed by the logs from the company who had purchased the tower and had been unable to provide service for the prior six weeks. Nobody from the town showed up at the followup meetings held a month later. You can read about it here.

The sad part is that even though every single one of them can and will be exposed as a liar, people still use these anti-scientific anecdotes as reasons to oppose whatever it is they don't like or understand. The anti-vaccine group rallies around a few noisy people who had unfortunate losses for reasons unrelated to the vaccines, and then political opportunists pick these up as rallying cries, unconcerned about the very real deaths they're causing in kids who go un-vaccinated.

The smart grid meters are plagued with these kinds of baseless accusations because there is a group of people who are politically opposed to them. They muddy the topic with whatever lies they can to get people to "raise the question". So when you posted your original comment regarding safety, you didn't ask a question in a way that distinguished yourself from the anti-science crowd - instead, you used the term "the jury's still out", which sounds exactly like their statements regarding anything they are trying to appear neutral or thoughtful on, yet are still trying to keep a controversy brewing. And I think that's why some people were unkind in their responses to you. Politics aside, no anti-science viewpoint is ever looked upon kindly by most slashdotters.

Technology in South Africa is being developed at a rapid pace as their bid for SKA is gaining ground. With the completion of the first 7 antennas on the KAT-7 project, the first use of composite materials for dish reflectors. With Namibia, Botswana, Mozambique, Zambia, Mauritius, Madagascar, Kenya and Ghana partnering with South Africa in the bid, Africa seems to have overcome all the major obstacles associated with the project. Nokia is willing to supply the 15 petabyte per second infrastructure and EMSS Antennas have already built the first seven cryogenic low noise amplifiers. 64 dishes for the MeerKAT project has just been approved and after completion it will be one of the largest, most sensitive radio telescopes in the world."
Link to Original Source

There is an actual case here in South Africa : http://mybroadband.co.za/news/wireless/11099-massive-revelation-in-iburst-tower-battle.html Residents were complaining of the usual suspects, rash, headaches, etc. iBurst agreed to turn of the tower (having actually turned it off 6 weeks earlier) and the residents symptoms improved suddenly while they had not improved over the previous 6 weeks.

Wait, how does a pro-open source tech site having majority Windows using readers prove open source is the biggest threat to Microsoft? You don't know the proportion of Windows users that are interested in Linux, you only know the proportion of tech site readers that use Windows. Are you really extrapolating tech site readership out to the general population?!

Read what I wrote. It wasn't ME making the claim. Microsoft's filings with the SEC make the claim that linux and open source are their biggest threat.

Better yet, Ballmer has been saying that linux is the #1 threat since 2001

June

Microsoft's Ballmer calls Linux the biggest threat to Microsoft.

And they also admitted it to the SEC in official filings in 2009

So, why are they so scared? Because it threatens their stack, which includes Office, their one true cash cow.

They've never turned an annual profit with servers.

They've been a complete loss in terms of revenue from HPC, and are abandoning the field.

Ditto for corporate projects like the stock exchange mess, that they totally failed at.

Windows doesn't bring in all that much money. Most people simply don't buy it retail. The real money is in the "software assurance" program, and in Office. Get rid of those, and Microsoft is a perennial money loser.

And linux has been used as a threat to dump the software assurance program, which most businesses don't need, since they can now get by with doing a cheap hardware refresh instead with the money they save. Desktops no longer cost $2k apiece.

So that leaves Office. The one solid, year-in, year-out, for 15 years #1 profit center. And people are asking "why upgrade any more? What I've got is good enough."

If you don't need to upgrade, and the vendor tries to force an upgrade on you, and you have a choice, it's time for the vendor to cut prices. Office will continue to be a cash cow for the next decade, but that's about it.

I don't come here to be enlightened. I come for a fight.

Well, at least you're up front about your pro-ms trolling ...

If you believe that you are a moran.

>Then can I please have your four patent numbers.

You're going to do a patent search in the South African patent office (which does not have an online search facility b.t.w) just to try and prove me ignorant of patents ? And I'm supposed to be so indignant that I call your bluff or if I don't then you win ?

*yawn*...
Oh... and you still haven't told me what this has to do with anything I said ? I never discussed the structure of the patent system so even if you were right here... SO WHAT ? You never answered, at all, any of the things I actually said. So how does it feel when I now completely ignore YOUR point ? Especially since it's completely irrelevant ?

>Software patents are legal in South Africa as they are anywhere else,
>both with and without the patent reforms advocated by "slashdotters".

No. They are NOT. In fact the law specifically PROHIBITS them. The problem here is something else. We have no patent checking process. All patent applications are granted by default, and then revoked if there is a complaint (and this complaint is found valid) so despite software patents beings specifically illegal, microsoft now holds over 300 of them in South Africa. Including a patent on Tabbed-browsing (like they could possibly have invented that...)
http://mybroadband.co.za/news/Software/9622.html

So much so has their actions been that there is in fact now a non-profit organisation here that specifically exists just to file complaints against their patents (well they do activism and stuff too but that's the core of it - and yes, I'm a member and contributor): http://ftisa.org.za/
People who are actually law professors in South Africa like Andrew Rens (Author of the South African Creative Commons License) do not agree with your claims about it. I believe them better informed about South African law than you are.

>You just need add to the prologue of the patent text "a generic computer
>comprising of CPU and volatile storage..." and then it is no longer a
>"software patent".

Sorry my friend, but you don't even understand our legal SYSTEM let alone our laws. It doesn't WORK like that here, NOTHING does. Here judge's word have the force of law (in fact the body of legal decisions are known as the "common-law"). More importantly in any ruling our law requires a judge to rule on the SPIRIT and INTENT of the law, NOT it's letter. Nobody here ever gets off on a technicality and clever wordplay won't let you file a patent that's illegal.

>It is only PURE software patents that are excluded by anti-software
>legislation. It so happens that there are almost no PURE software
>patents anywhere because lawyers are always careful to include the
>text above just to be sure. And in any case, a PURE software
>patent would have no utility so would be excluded from admission
>in any case.

Let me take it a step further and say that software patent, regardless of whether it includes your little disclaimer, does not have any utitility and should be excluded in any case. Many people believe that a patent system is a good thing, and here on /. many of them advocate it - merely restricted to exclude certain things, like e.g. maths and software and plots for books.
But knowing that lawyers think like you, that they think adding a stupid sentence to the top of the page changes a bad patent into a good one without altering what it covers in any way... well that's why I no longer believe patents are a good thing AT ALL.
I actually think they were a pretty good thing in for example the automotive industry. But they way they are used in the software industry and pharmaceuticals is so incredibly bad that I would wager the small advantage they give in those industries they were meant for are greatly outweighed by the massive harm they do in others. Trying to restrict them out of those clearly won't work because lawy

They brought this in last year here in South Africa. I consider it a huge invasion of privacy as it has lots of potential for being abused. http://mybroadband.co.za/vb/entry.php?763-RICA-act-is-bullying-beyond-belief

Context for the Africa comment:

http://mybroadband.co.za/news/Wireless/11099.html

A community sues iBurst because they claim their tower was making them sick. iBurst reveals that the tower wasn't even on.

Do you have a source for that?

Not quite identical to the parent's story, but this is a reasonably close match: http://mybroadband.co.za/news/Wireless/11099.html

Microsoft is FUDing, and Mark Shuttleworth called them on it:

Microsoft is asking people to pay them for patents, but they won't say which ones. If a guy walks into a shop and says: "It's an unsafe neighbourhood, why don't you pay me 20 bucks and I'll make sure you're okay," that's illegal. It's racketeering.

To fix the patent situation, we need that kind of vocal support of executives. Will we get that support from Matt?

Where the towers turned on or off at the time of the study.

http://mybroadband.co.za/news/Wireless/11099.html

Sorry. I originally heard the story in a /. post, and that poster had a link to a news article about it. I have nothin' though.

Found it here (unsurprisingly on fark :-)

Last year I posted this:
"I'm willing to give this lady R10,000 CASH if she passes a double blind test in telling me when a tower is on or off. South Africa needs a James Randi, Penn n Teller, aka BS debunker."
10,000 in South Africa rand is about $1350 as of writing.
http://mybroadband.co.za/vb/showthread.php?p=3360119#post3360119

The "try before you buy" excuse that people give as a reason to pirate (very popular here at Slashdot) has always been a steaming pile of bullshit, as is the tale that PirateBay is primarily used for legitimate torrent downloads. Pure bullshit. Honestly, it's difficult to take people that say these things seriously.

Wow, all that hard data you provided has convinced me! Maybe you should provide it to people who do studies that say the exact opposite?

6dB is the point of no return; below this value you are going to have issues. That being said, 9dB isn't great.

I've found this forum post which explains far better than I ever will what values for SNR and line noise are good and which will cause you to hate BT like the plague.

I couldn't believe anyone at Microsoft would actually say something like that in public, so i had to read the article to see it myself. I am no fan of Microsoft's business practices or products, but I would like to believe that that employee was misquoted somehow.

I know some people in South Africa had this problem when going to yahoo.com they were redirected to Baidu. http://mybroadband.co.za/news/General/1678.html

http://mybroadband.co.za/blogs/2007/06/11/google-favours-kenya-over-sa/ With a Google data center in Kenya and its vested interest in expanding the world's infrastructure, we may see the day when a Google laid line gets dropped right off the African coast...

Well, reports mention SJ wants 1M iphones sold by end of Sept. Further reports indicate the July pace shows it might fall short.

Yep for all the dickheads who drink the koolaid this is the context

So you wouldn't do a deal?

No, absolutely not. But the time will come when the folks at Microsoft who have a clear vision for the company as a participant in this community, rather than as a hostile antagonist, will win. At that point I'd love to work with Microsoft. It's not an evil empire. It's just a company that is efficiently grounded in the 1980s. New leadership and new thinking might make it a more effective partner for us.

http://mybroadband.co.za/nephp/?m=show&id=6672

Quoting a poster on another board:

"Xandros are about to go BK (and this deal guarantees it), desperation
creates mistakes. EV1 was headed by a business incompetent. Novell had just had
Hovsepian parachute in with a desperate need to impose his authority despite a
shaky understanding of the business.

Seeing a pattern yet... only screwed up companies went for the deals. Knowing
that its real hard to take SCOX or MSFTs few success's totally seriously."

Come to think of it, scox was heading towards certain bankruptcy before msft got
involved. And let's face it folks, Linspire was never much of a distro.

The real Linux heavyweights: Redhat, Debian, Ubuntu, etc. Have flatly stated that they have no interest in msft's patent deals.

Mark Shuttle gives excellent commentary on the scam . . er, I mean deal, in this interview.

.. about who supplies you with your broadband access. In South Africa we have a single telecoms provider, Telkom, who is the sole international bandwidth provider for the entire country, and (what a surprise) they're also an ISP.

It's a government enforced monopoly busy making money hand-over-fist on the backs of an emerging economy. http://www.mybroadband.co.za/ reports that the average adsl bill is 110% of the average salary in South Africa, meaning it's a service that's only available to a select few who can afford it. The sick part is that goverment is the majority shareholder, and so does not have the people's interests at heart when it comes to accessable (meaning cheap) telephony and broadband.

So, at least you have choices and wide deployment.

We've got a nice IRC channel for people who don't believe SA has internet. Also our own server, irc.ac.za (though your ping to it will probably suck), and for the clientless, http://www.ircd.co.za/ for a java client to it. Or if you just like forums, http://mybroadband.co.za/vb/

I would have submitted this sooner, but it seems that any time I'm at work, if I try to post a comment on slashdot, it gives me "You can't post to this page." Yet it works fine at home on another ISP. I've tried asking what's going on, if it's some kind of domain ban, but nobody ever replied.

We live in a country where communications are run by a single monopoly, Telkom. They control the entire POTS system and all internet pipes out of South Africa. They are notorious for charging crazy prices for bandwidth and internet access, as well as being a reseller and ISP (how uncompetitive can you get?)

We are in a battle to get the price of ADSL down in South Africa. We have a population of 45 million, and because of the high costs we have only seen 100,000 users sign up in the last 4 years. That's a grand total penetration of 0.22% ! We are battling to get support from government because they own 40% of the shares, and they are profiting dearly from Telkom's exthortion.

A 512k connection with a 3gig cap will cost you ZAR 819 a month, which is about $126!!

Check out http://www.mybroadband.co.za/ for more information about the situation.