Spoken Commands Crash Bank Phone Lines

mask.of.sanity writes "A security researcher has demonstrated a series of attacks that are capable of disabling touch tone and voice activated phone systems, forcing them to disclose sensitive information. The commands can be keyed in using touchtones or even using the human voice. In one test, a phone system run by an unnamed Indian bank had dumped customer PINs. In another, a buffer overflow was triggered against a back-end database. Other attacks can be used to crash phone systems outright."

Good

I hate those automated prompts.

Re:Good

[justforgetme]

Especially if after pressing all possible combinations and you finally get to the part where it says "I'll connect you to a human being" the while system blows up and you have to start over. Which in my experience happens approximately 100% of the time.

Re:Good

[SJHillman]

I don't mind a lot of the entirely automated systems (although some are horrible), nor do I mind waiting for a human. However, it's the hybrid systems where you go through anywhere from five to twenty layers of prompts only to be connected to a human who then asks you all of the same questions as the automated system that I really hate.

Re:Good

[JustOK]

Press SQRT(-1) if this annoys you.

Re:Good

[TheCarp]

I don't even mind the hybrid systems, in theory.

What I mind is the last part. I am on with the machine, it collects all the info that a human operator would need, makes sense....helps speed things along, route calls, and keep the actual time of the operator useful, rather than monotonously getting account details....cool.

In reality though, its exactly as you say.... I spend all that time on with the computer, give it all my info, verify my account...and then... the operator gets on and asks for all that info again....

So it didn't save him from monotony, it didn't keep his time useful.... all it did was waste my time.... yay.

Re:Good

[fuzzyfuzzyfungus]

Good Morning, Sir, would you mind confirming your slashdot UID for me before I can respond to your post?

Re:Good

[L4t3r4lu5]

444?

Spamfilter spamfilter.

Re:Good

I don't mind a lot of the entirely automated systems (although some are horrible), nor do I mind waiting for a human. However, it's the hybrid systems where you go through anywhere from five to twenty layers of prompts only to be connected to a human who then asks you all of the same questions as the automated system that I really hate.

Say "operator" when you're dealing with an automated system, and it'll generally hook you straight up to a real live homo sapien.

Now you know.

Re:Good

[h4rr4r]

Wasting your time is good for them, it reduces the number of hangups. Far more importantly It means hold times don't start until after all the prompts have been exhausted. This makes the call center numbers look great.

Record a stupid metric get a stupid result.

Re:Good

[SlippyToad]

the operator gets on and asks for all that info again....

I bitched about that once. Turns out, they are killing time while your screen comes up from their glacially-slow system.

Re:Good

[dywolf]

I do too. "Please say or key in your PIN/Account/Social Security/Member Number" ... ya I want to say my very important number out loud...
luckily USAA lets you key in the stuff too. I've come across some that dont, and I frankly refuse to use them.

But when I saw this article, my first thought was, what do I say to trigger a money dump into my account?

Re:Good

[dywolf]

usually, in the good systems (natch!), you just keep hitting 0, or saying "Representative" or else something that it can't decipher and it'll take you right to an operator, after only about 15 seconds.

Re:Good

[Phreakiture]

Here are the two worst I have encountered:

One was a customer satisfaction survey. For each question, it asked the question, and then followed it with this entire message: "Press 1 for strongly agree; press 2 for agree; press 3 for neither agree nor disagree; press 4 for disagree; press 5 for strongly disagree." Now, I have no problem with this kind of prompt existing, but seriously, after the first question, I get how it works. Oh, I almost forgot: It would not accept any input until it had finished reading off the entire fucking message!

The other is a bank with which we have a loan. The sequence I go through is this: "Thank you for calling the Very Big Bank customer service line. For account information, press 1. For-" I press 1. "To inquire by account number or social security number, press 1. To inquire-" I press 1, but not too early or it just restarts this message. "Please have your account number or social security number ready. To inquire by account number, press 1. To inquire by-" I pres 1. "Please enter your account number." Let's say, for the sake of the argument that the number is 555555555. "One moment, while we retrieve your account." Two seconds pass. "The account number you entered is. Five. Five. Five. Five. Five. Five. Five. Five. Five. Five. If this is correct, press 1. If-" You couldn't have asked me this before retrieving my account? Okay, fine. I press 1. "For a payoff balance or payment amount, press 1. For-" I press 1. "For payoff balance, press 1. For-" I press 1. "The following message contains payoff information. You will be given an opportunity to receive a fax copy at the end of this message. Acount number. Five. Five. Five. Five. Five. Five. Five. Five. Five. Five. Date of the last payment was. September. Third. Two. Thousand. Twelve. As-of. September. Seventeenth. Two. Thousand. Twelve. Your payoff balance was. Fifteen. Thousand. Five. Hundred. Fifty. Five. Dollars-and. Fifty. Five. Cents." I think it is designed to get peoplel to use the website instead.

Re:Good

[azadrozny]

Some companies are getting wise to this. Yes, this will take you to a real person, but that person is often nothing more than a switchboard operator. Many times they have routed me back to the same prompt queue I just escaped from.

Re:Good

[Lorens]

[It's] a human who then asks you all of the same questions as the automated system that I really hate.

I have a supplier whose automated system asks for contract number and system ID's and the like. Once, my system was totally down and the different numbers I had were refused by the supplier's IVR. I remembered hearing that some IVR systems detect swearing. I quite deliberately swore a few times at the system, and it beeped and asked "Are you currently experiencing a severity-1 production outage, press one". I did and got a human immediately. I'll never again complain about their system . .

Re:Good

[sjames]

Swearing often helps too. Some systems take it as a sign you're getting angry and try to head it off.

Re:Good

I don't know about banks, but I've worked in 2 call center jobs: a utility company and a state government agency.
In both places, info entered by the caller was used only to route the call; none of it was passed on to me.

Re:Good

[justforgetme]

On lots of the implementations I have seen either the menu loops indefinitely or it just disconnects you. To be honest though this is something I only have noticed in countries in the Mediterranean. So maybe it is somehow related to economic insolvency?

Re:Good

[rbrausse]

my password is swordfish

Re:Good

[DarthBart]

I always like the systems (I'm looking at you Dell!) that send you through the song and dance of entering information, then when the time comes to hit the queue the system says "We're sorry, call volumes are too high at the moment. Please call back later. *CLICK*".

Re:Good

[morgauxo]

I used to be one of the human beings a person might reach after mashing in those possible combinations. I don't know how awful the system may have been that lead customers to do that. I had no input in making it or access to anyone who did. It may have really sucked but I sure hated those people that got to me by randomly mashing the wrong buttons. They were always so pissed off and difficult when I told them I had to transfer them. What did they expect? Ignore the system that is supposed to be helping you get to the right person, randomly push the wrong buttons and somehow magic gets you the right person? And it counted against my stats if they had to call back again?!?!

Re:Good

[dkleinsc]

See, when you type swordfish, it shows to us as *******

Re:Good

[morgauxo]

Yes, that really sucks. I've been on both sides of that though. When the faceless big corporation that employs you doesn't give you access to that information imagine having to explain it 100 times a day while not putting down the hand that feeds you. I get it that the customer is annoyed but there still isn't anything the person on the phone can do until the customer quits their whining about it and just answers the damn questions already.... yes, again. There could be any number of individuals whose fault it is you are so inconvenienced, IT nazis that will not let the information in system A into system B, bean counters who will not pay to get someone to write the code to send the information to the call center and put it on somebody's computer screen, executives who really don't give a shit since their bonus comes either way, etc... It is highly unlikely the person on the phone wants to ask you any of that crap. They probably wish the information was sent to them even more than you.

Most likely that information was used for something, probably routing your call to the correct call center rather than some other that wouldn't be able to help you. It's unfortunate for both sides when that information isn't sent on to the individual who actually answers.

Re:Good

[justforgetme]

I wasn't talking about randomly mashing the buttons, but just trying to find the menu that does what you want without any success because it doesn't exist. Leading to the aforementioned every possible combination

Re:Good

[atomicxblue]

It's my experience that these systems collect all the info a human operator would need, but when it eventually connects you to a human operator, they have no clue who you are and have to gather that information all over again. Why not just save time and money by playing hold music and have the customer give their information to a real human once?

Re:Good

[atomicxblue]

There are some systems out there that offer to call you back in the event of long hold times. All companies should think of implementing this!

Re:Good

I actually make these kinds of systems for a living. If a system doesn't do this (it's called a ScreenPop) it's usually a matter of cost, or the inability to tie systems acquired at different times together. It always drives me nuts when I run into this.

Re:Good

[TheGratefulNet]

close but not quite: that is actually a starfish!

Re:Good

[atomicxblue]

Oh, no! Tactics like that would lose me as a customer. If an IVR does not have the dual ability to use the keypad, it's generally very difficult for me to use their systems. I have a moderate Southern accent and the IVRs have a difficult time distinguishing between the phonemes I use. (Think more like DeForrest Kelley's softened Southern accent and less like Dolly Parton.) Most of the IVRs I've encountered build their language processing phoneme database using General American, which is pretty much a made up account like Perceived British Pronunciation, or "BBC English". They discount the number of regional accents in the US and lead me to believe that native people from the Bronx or Boston would have similar issues.

They are so horrible that if I say something like "Billing", I fully expect the systems to go full on Family Guy and come back with: "You have selected, 300..."

Re:Good

[Obfuscant]

They were always so pissed off and difficult when I told them I had to transfer them. What did they expect?

Good customer service from a company that truly cares about their business and doesn't waste their time playing through an endless cycle of "press 1 for this" or "press 2 for that", usually after starting the cycle with the useless "please listen carefully to the options because our menu has changed", when the menu hasn't changed in two years. A company that clearly offers "None of the options fits, press 0 for a person who is trained to assist you" instead of simply repeating the same three or four irrelevant options when you press 0 to try to get help.

A company that doesn't force you to "press or say your 15 digit account number" and then force you to say your 15 digit account number to the next three people in a row you talk to, because none of them are able to do anything to help and none of them are able to pass your information along to the next person?

How about customer service that doesn't keep interrupting the hold music to tell you that you can do what you want to do on "w w w dot whatever" and it is faster and easier, when what you are calling to talk about is HOW THE FUCKING WEBSITE IS FUCKING BROKEN AND WON"T LET YOU DO JACK SHIT? Or even not interrupting the hold music AT ALL until it is time to talk to someone, because every time a voice comes on the line you think it is a real person and you stop whatever else you are doing to ... listen to a repeated sales pitch that doesn't help.

Sorry, but you asked.

Re:Good

[ericloewe]

Sure it does, it's the 4 on a keypad

Re:Good

[AK+Marc]

Call backs suck. You end up either holding anyway, just with the phone hung up, or you miss the call when you step in the shower. The call back systems I end up getting don't give a reasonable time for response. Once, I was calling as I was getting ready to leave. I gave them 20 minutes to call me. Nothing. Then I left and came back to a call log that was them calling every 10 minutes for 2 hours (starting 5 minutes after I left the house). Then I sat at home for another 2 hours before they actually did call back and get me.

Re:Good

[AK+Marc]

Not any more. pressing 0 and saying "operator" used to work, but they are so common that the big people just say "that was an invalid option, please choose from one of the following options." These days, repeatedly mashing "1" gets you to a person fastest. They even plan on it, as that was the "old person" version, where they don't ever listen. Ever wonder why the Spanish choice has you pressing 2 or 4 or something? So that if you hit 1 repeatedly, you'll end up at the "regular" operator pool, not the Spanish one they have to pay more for.

Re:Good

[AK+Marc]

I've been on both sides of that though. When the faceless big corporation that employs you doesn't give you access to that information imagine having to explain it 100 times a day while not putting down the hand that feeds you. I get it that the customer is annoyed but there still isn't anything the person on the phone can do until the customer quits their whining about it and just answers the damn questions already.... yes, again.

There's no reason to answer the questions twice (aside from the evil corporation being too cheap/stupid to set up their expensive IVR correctly, which isn't acceptable to me as a customer).

It's unfortunate for both sides when that information isn't sent on to the individual who actually answers.

If it were that unfortunate for the faceless megacorp, they'd send the information they've already gathered and verified to the person on the phone. Otherwise, it's much much easier for the caller to just route it to a human. There's no benefit to the caller to go through a non-integrated IVR. At worst, there are slightly longer hold times as the answerer has to route calls. But that's better than entering the 16 digit account number mutliple times, only to read it off once again when actually through.

Re:Good

[AK+Marc]

The "correct" buttons got me to the wrong department. I wanted to make a payoff, not make a regular payment, and the people who accept payments can only tell me my current due, not lock in a payoff amount. So, call back, same IVR, same wrong department. Call back, deliberately press the wrong buttons, get to an "operator" that can route me to the right person. IVR fails, wrong buttons get me what I was looking for.

And it can't count against your stats if they call back if they were in the wrong department. At least it couldn't where I worked, the "cases" didn't accept "wrong number from customer #112221321", but they took "wrong number" without identification. So if they called me wrongly 10 times, my stats looked better. The average call time of a "wrong department" was very very short. But then, I was in an outsourced call center, so I couldn't transfer them to anyone, so I'd offer them a different number, and if they complained, hang up on them. After all, a complaint to my manager was telling my manager that I had great numbers, and "customer satisfaction of incorrectly routed calls" wasn't a metric. So all complaints were good for me, not that I ever had one, but others did.

I called the number myself a few times to see what customers had to do to get to me. I think that call center workers should be required to do that at least once a week. Some were easy, some were nearly impossible. Nearly all pissed off the customer before they got to a human.

Re:Good

[AK+Marc]

Danmed straight. If you don't get a human (or your question answered for truly automated things like account balance and payment info or such) by about 3 menus deep, then you need to ditch the IVR and go back to human call routing. It's just too complicated to expect the general users to get where they are going, or you have 10,000 departments and nobody knows what goes where (I'd estimate about half the IVRs I've had to use had at least one invalid choice).

Re:Good

[firex726]

http://gethuman.com/

FTW!

Re:Good

[noobermin]

So instead of a fish shaped like a star, it is a fish composed of tiny stars?

Re:Good

[jmcvetta]

I've found a bit the opposite: saying "agent, please" has good results at getting thru to a human.

Re:Good

[KevReedUK]

One large financial I used to work for had just such an IVR system in place. It would go through its response tree allegedly (from the customer's point of view) to correctly route the call and provide the call-center agent with all the info they needed to hit thr ground running.

The truth, however, was something of an unfortunate surprise. The surprise wasn't that the agent wasn't provided with the information (I kind of expected that!), but more that the entire response-tree and it's complexity were a psychological move to make the customers think that they were in control of the length of time they were on the phone whilst the whole time the question and answer session was really just there to disguise the high hold times caused by the management being to cheap to recruit enough staff!

Apparently, someone important came up wit the idea that customers would prefer to spend the time answering questions than listening to music.

Re:Good

[AK+Marc]

Best use ever. The problem with where I worked on the phones is the IVR was managed by the company, and the call queues managed by the outsourced call center. So the person setting up the IVR had the incentive to make the IVR as short and simple as possible. But when I've worked setting up the phone systems, I could have done that, but the internal call center had more customer-oriented metrics, and hold time wasn't one of them.

Re:Good

[RockDoctor]

Why swear when you can just answer the questions in a variety of languages until the machine's brain explodes. The machine can't tell the difference.

Re:Good

[sjames]

Because it's funny to swear in a monotone and have the machine act as if it's some sort of root password.

Re:Good

[RockDoctor]

Ah, I bet that you whistled-up fax machines and told them to print 100 blank pages when you were a kid.

Re:Good

[TheCarp]

At a previous job, we had a ticketing system, it was terrible.

It could email, out only, not capturing email threads like RT. Its emails were useless.... with a page or so of useless data, only the ticket number being relevant.

I always blamed the system, but, as it turns out, its highly configurable, it was always a matter of cost. Then to top it all off, they only bought a limited number of seats, so you would be kicked out (and your changes not saved) after just a couple of minutes of inactivity.

I have to imagine that the productivity lost due to the peculiarities of how they chose to save money on the product more than sucked away whatever cost would have been paid up front to do it right.

When they switched to this system.... the managers who decided on it had nice new fast machines... while the help desk (who had to use it all day) were on scavanged P90s. The company tried to institute a 4 minute average turnaround time for calls... except...it easily took longer than that just to log a call in the ticketing system, I used to hang out with the helpdesk guys and they spent half the time applologizing for how slow the system was!

At least that was just a matter of the helpdesk head blowing a gasket at upper managers and telling them that they should come down and try to log a ticket in 4 minutes on a helpdesk machine to get them new dekstops.... but the rest of the problems were still there a decade later.

Social engineering

[BSAtHome]

How is the turing test doing for social engineering an automated system?

Maybe the system commited suicide after listening to those humans and just decided it was not woth it anymore.

What?

[ledow]

You decided to link to explanations of touch-tones and buffer overflows? On Slashdot? Really?

And yet the article basically parrots the summary with no more information.

Re:What?

[RaceProUK]

buffer overflows

Not everyone on here is a programmer.

Re:What?

[TWX]

I'm not a programmer and I know what a buffer overflow is...

It's when you use too much polishing compound on your buffer and it squirts out everywhere and ruins the paint on the car, right?

Re:What?

[RaceProUK]

Meh, why not?

It fulfills the car-analogy requirement for this article at least.

Re:What?

[JustOK]

But ignores pizza

Re:What?

[TWX]

Ever contemplate how much pizza you really eat, by volume?

Let "a" be the thickness of the crust, and let "z" be the radius.

So, the volume of your slice, depending on how it's cut, is a fraction of pi*z*z*a.

Re:What?

[L4t3r4lu5]

That's not a pizza, that's a flatbread.

Bazinga!

Re:What?

[wonkey_monkey]

You decided to link to explanations of touch-tones and buffer overflows? On Slashdot? Really?

That is how hypertext is supposed to work, y'know. No-one forces you to click a link if you don't want any more information.

Re:What?

[FireFury03]

You decided to link to explanations of touch-tones and buffer overflows? On Slashdot? Really?

That is how hypertext is supposed to work, y'know. No-one forces you to click a link if you don't want any more information.

After reading the article and finding it had no more information than the summary, I clicked the other links expecting them to be a more in-depth article on the same subject... I was disappointed.

Re:What?

[MobileTatsu-NJG]

Press one if you'd like to see those links again.

Re:What?

I know what a buffer overflow is...
It's when you use too much polishing compound on your buffer and it squirts out everywhere

Buffer eh, that's a new term for it I guess... ;-)))

Re:What?

[TheGratefulNet]

except that you end up with a black hole when you try to divide by tomato.

Re:What?

[Reziac]

Crap. I tried that and wound up with anchovies!!

Re:What?

[Reziac]

I said "Transfer" and wound up on Slashdot. WTF??!!!

Would you like to hear other people's PINs?

[pr0t0]

To hear the PINs of our other customers, please press 1, or say "yes" now.

Re:Would you like to hear other people's PINs?

[frostfreek]

0000
0001
0002
:
9999

Re:Would you like to hear other people's PINs?

[GonzoPhysicist]

Haha, my PIN isn't on this list. On that note, is there a limit to the number of digits in a PIN?

Re:Would you like to hear other people's PINs?

Sadly, my bank limits it to four digits.
After mentioning to the bank manager that this not ideal, at least he agreed and offered me a copy of his letter to "corporate" as a template for my own. He didn't to it for me, but he helped quite a bit.

Re:Would you like to hear other people's PINs?

[kat_skan]

That's amazing! I've got the same combination on my luggage!

Re:Would you like to hear other people's PINs?

[AK+Marc]

The US standardized on 4-digits no more, no less. Much of the rest of the world allows for (some require) 6-digits. I have never gotten money out of a machine that required 6-digits for my American card with 4-digits.

Re:Would you like to hear other people's PINs?

[jkflying]

In my country they usually go up to 5, but I know when I travel to the US/EU the ATM only accepts the first 4.

SQL Injection via voice?

[Gotung]

"In one test, a phone system run by an unnamed Indian bank had dumped customer PINs" Sounds like a SQL injection attack, via voice. Lol. Little Bobby Tables strikes again.

Re:SQL Injection via voice?

My money is on it not being purely by voice, but prepped with online banking. The attacker probably set their name or security question to Bobby Tables, then used the standard voice prompts to have the voice system attempt to say the name/security question/etc, which then ran the queries un-escaped

Re:SQL Injection via voice?

[LordLimecat]

The article indicates that the attack was done by speaking attack commands.

Re:SQL Injection via voice?

[michelcolman]

You seem to know more about this... hmmm...

Re:SQL Injection via voice?

"Thank you for calling Mega Bank. Please say 'Customer Service' or 'Loan Application'."

"SELECT password FROM members"

"It sounds like you're trying to hack our system. Please hold while I access that data."

Re:SQL Injection via voice?

Some years ago I worked for a small telecom, our system (and everyone else using the voip engine) was (is?) vulnable to injection attacks via. SIP headers; we where very much aware of this, but getting the maintainer to fix it was impossible.

Re:SQL Injection via voice?

The article indicates that the attack was done by speaking attack commands.

Attack commands?

"DIE AND BURN IN HELL, YOU STUPID FUCKING PIECE OF SHIT VOICEMAIL SYSTEM!"
"Okay. I will die now."
*sound of distant explosion*
"...huh. Cool. I didn't think it'd be that easy."

Re:SQL Injection via voice?

[SlippyToad]

Computer: Sic balls!

Re:SQL Injection via voice?

[omnichad]

"Shall we play a game?"

Re:SQL Injection via voice?

[Gotung]

The summary clearly states the the buffer overflow attack was a different attack from the one that dumped the PIN #'s.

Re:SQL Injection via voice?

I heard it only works if you shout when you say "SELECT" and "FROM"

Re:SQL Injection via voice?

[Obfuscant]

The article indicates that the attack was done by speaking attack commands.

Sit!

Stay!

Good dog, Ubu!

Re:SQL Injection via voice?

[AK+Marc]

A buffer overflow is an input so large that it overflows the available space for the input, and the remainder of the input overwrites something else, usually resulting in a crash, but sometimes can be crafted to allow arbitrary remote code execution. SQL injection is a form of arbitrary/remote code execution where the input (or portion thereof) is treated as a command. They can both be forms of arbitrary code execution, and thus, for a general release article are equal.

Oblig

[gmuslera]

Wonder of something like this happened.

1337

I noticed that in the video, the sequence 1337 appeared regularly. So either phone systems are especially vulnerable to this sequence, or it is a fake video where they thought it would be 1337 to use that sequence.

The 127.0.0.1 in the top line makes me suspect even more that the video indeed is fake.

Re:1337

[omnichad]

Right, because it's only real if they record video evidence of them committing a felony and not using a test system set up to emulate the real-world environment.

Re:1337

This is the guy's personal pin for his account... he thinks it's clever to show you he typed that and it came up with something while all the time it was his own account. He does nothing in the video except extremely poor and slow fuzzing.

I work with IVRs all day and nothing in the article is remotely feasible.

Re:1337

[AK+Marc]

I was going to say that the systems couldn't even know the pins, as that's insecure. But I recently had to call my building security. They asked me my PIN. "1234" No, but you got the first number right. "Oh, then 1111" yes. So the security guy was reading off my pin on the screen. Kinda makes the point of a PIN useless if anyone in security knows it.

Video of the talk

[Tryfen]

You can you watch a video of the talk on YouTube - or read the slides at BlackHat.

Fairly interesting to see how buffer-overflows can occur in the most unlikely places.

Re:Video of the talk

[bouldin]

There's more detail here, including links to papers: http://voipsecurityblog.typepad.com/marks_voip_security_blog/2012/09/dtmf-telephony-denial-of-service-tdos-issues-for-ivrs.html

Re:Video of the talk

[RaceProUK]

That's compression for you!

Re:Video of the talk

[NatasRevol]

I need to do more sit ups.

Re:Video of the talk

[jittles]

I'm sorry, I know this guy probably isn't a native English speaker, but he is a horrible presenter. One of the worse I have ever seen. It doesn't seem like he practiced or anything, and you can tell he is terribly uncomfortable. The presentation is also very long, and not very interesting most of the time.

Re:Video of the talk

[MobyDisk]

I don't dare run Powerpoint files or Word documents I receive from my relatives. Yet here I am downloading one from Black Hat and I feel perfectly safe. The world has gone mad.

Re:Video of the talk

I've been involved in the building and testing of IVR systems. Injection and overflow are possible, but less common. Denial of service and brute force attacks are more likely to be successful given the nature of how many applications are built.

IVR applications tend to be written as thin, dumb applications around the data source. On a positive note, banks, and other financial institutions, rarely expose data as a database. Most of the FI interfaces I've experienced are either proprietary (text message blocks are the most common) or if a standards method is available, Web Services. I rarely see IVR applications that validate data and therefore allowing ABCD in. * and # are often terminating characters, but some can still end up with input. If the FI data interface isn't validating the data, there will likely be problems.

Speech reco systems, today, aren't too bad. Grammar design restricts results (semantic interpretation) and most applications just fail if they have an unknown SI value. However, as speaker independent dictation models become more successful, it is possible that raw input might make their way into data requests. However, I suspect when that happens, it will be tied into the same logic used by web servers cutting down the attack surface.

Re:Video of the talk

[cffrost]

[H]e is a horrible presenter. One of the worse I have ever seen. It doesn't seem like he practiced or anything, and you can tell he is terribly uncomfortable.

I didn't watch this presentation, but your post reminded me of Elon Musk's appearance on The Daily Show. Blushing, glistening in sweat, strange answers, etc. It seemed like he'd never spoken in public before, and I was half-expecting him to flee the interview at any moment.

Re:Video of the talk

[jittles]

He wasn't sweating, and didn't look like he would flea in terror but he had DTMF tones blaring loudly from his powerpoints, had long pauses where he had to figure out what he wanted to say, and was constantly saying "Umm umm umm." This is why most universities require you to take public speaking classes, and things of that nature. At my last company I would go to a tradeshow every year and give 2 presentations a day for a week. I also gave demos to government officials (Including a 1-star [Brig. General] and a 3-star equivalent[Undersecretary of Defense]). If I presented like this guy did, they would have replaced me a long time ago. I know some people think that they can never get over their nerves and make great presentations, but it really is an acquired skill just like any other. The more you practice, the better you will do. I would practice my demo in front of several hundred coworkers before I left for every show, just to get reacquainted with a large crowd. Its better to embarrass yourself in front of your coworkers than an entire room of strangers.

Re:Video of the talk

[platypusfriend]

I've seen Elon Musk speak in public, elsewhere, and he was pretty confident. Shrug. Must have just been a bad day for him on The Daily Show.

Re:Video of the talk

[TheGratefulNet]

but you'll see the strangers only once; and you'll have to see your co-workers again and again. how is this better?

Re:Video of the talk

[jittles]

but you'll see the strangers only once; and you'll have to see your co-workers again and again. how is this better?

That's exactly my point. If are a good employee then your coworkers will value you despite your embarrassing attempt to present to them. You only get one attempt at showing those strangers that your product (whether it is you as an employee, or your company's product) is worth the money. If you mess that up, the game is over. But if you've had a great career and you get a little bit of stage fright in front of your coworkers, they will (in my experience) genuinely offer constructive criticism and help you to do a great job selling the company.

Re:Video of the talk

[AK+Marc]

I'd go with:

It's like no one every proof read, the abstract.

Re:Video of the talk

[AK+Marc]

I guess I never got into the good stuff. All the work I did with IVR was ACR-only. The "integration" was to play inputs back into a sandboxed program that sent the numbers to the customer service rep that answered the phone (no integration with the other systems, other than cut and paste). It wasn't sandboxed for security, but cost reasons. I can see how an input could theoretically exceed the input length and cause an overflow, but, every ACR I've ever dealt with let you set a max (set to 20 or so by default), and you'd have to work really hard to allow some overflow.

Re:Video of the talk

[mgcarley]

I'm a foreigner living in India, and presentation skills are not a strong point of... well... almost anyone... because most people don't have to make presentations, and it's not really taught here.

Forgetting the language/accent issues (I can deal with those), often they're just incredibly boring - I've had to fight the urge to fall asleep at almost every conference I've been to - there's no charisma at all and they frequently ramble on about nothing.

Those that can present well were often educated overseas, and the resulting hierarchy/society, unfortunately, reflects it: those that got the advantage to begin with keep their advantage and those that learn from these local guys that teach you to "speak like James Bond" (yes, seriously - http://goo.gl/GRQoK), well... you get where I'm going.

To add insult to injury, I've also seen people try to fit WAY too much stuff on to each slide (8 point text even on a large projected screen is still damn near impossible to read), though this isn't strictly limited to India - I've seen this in the west as well.

One trick

[kilodelta]

If you have the knack for it, whenever you encounter and IVR is to repeatedly scream a phrase at it, something like 'agent'. Good systems recognize the word and put you through to a human post haste. Shit systems, which are the predominant type, have something like a 30 or 60 second timeout before requiring human help.

Re:One trick

[P-niiice]

I do this and get more and more pissed everytime I have to yell "Agent" at it. My kids get a huge laugh out of it everytime too.

Re:One trick

[fuzzyfuzzyfungus]

If you have the knack for it, whenever you encounter and IVR is to repeatedly scream a phrase at it, something like 'agent'. Good systems recognize the word and put you through to a human post haste. Shit systems, which are the predominant type, have something like a 30 or 60 second timeout before requiring human help.

Some systems may actually be responding to the vocal stress cues. In an effort to pretend to care, while minimzing the number of actual humans needed, some designs will prioritize the ones that sound increasingly angry so as to get them dealth with and out of the way. I find that it generally isn't difficult to convincingly emulate boiling rage, and(depending on whether the phone drone knows he is being dumped into a rage call or not) immediately switching to polite-and-businesslike when the human comes on usually works pretty well.

Re:One trick

[PRMan]

Pressing 0 works on a little more than half of systems. Make sure you keep pressing 0 in response to every prompt.

Re:One trick

[MachDelta]

Have you tried "I'm going to stab you in the EEPROM" ?
It worked for Frontalot...
kinda....

Re:One trick

[omnichad]

Sometimes rapidly pressing 0 instead of pressing it for each prompt gets you in faster.

Re:One trick

[Obfuscant]

some designs will prioritize the ones that sound increasingly angry so as to get them dealth with and out of the way.

I can't figure out whether you put an extra 'h' on 'dealt', or an extraneous 'l' in 'death', but I guess either way they are "out of the way".

Re:One trick

[AK+Marc]

These days, I think the fastest way to get a human is to do nothing at all. Don't say "agent" don't press a button. Just sit there. Someone once told me that they are required by law to route them to a person within a minute or two as part of the ADA. No idea if that's true, but that's what I was told once by "some guy."

Re:One trick

[AK+Marc]

I've found ones that hang up on me if I press 0. "I'm sorry, that input is invalid, goodbye."

Re:One trick

[Errol+backfiring]

I thought the magic word was "shibboleet"? (see http://xkcd.com/806/)

Re:One trick

[himself]

My sister works for a bank, and attended a vendor presentation about software that monitors IVR calls. They found that they got good results when listening for two keys phrases before transferring people directly to a Retention Specialist operator: "ridiculous" and "bullshit."

Naturally, I now answer "agent" to every prompt and then switch to "this is ridiculous bullshit" after a couple of tries.

Re:One trick

[Reziac]

And on others, say "Operator" or "Transfer". The latter seems more commonly to work on those that like to respond with "I'm sorry, I didn't understand/get that" to any unexpected input.

Re:brings a tear to my eye

[ElmoGonzo]

Long Live Captain Crunch!

Dilbert would be proud

[murcon]

Heh. For some reason this reminds me of the "shower scene" from the very first episode of Dilbert (the animated series), where Dogbert is attempting to hack Dilbert's voice-activated shower temperature control.

http://www.youtube.com/watch?v=7MqhBL9eEts

Re:Dilbert would be proud

[TWX]

DNWTFV...

I'm sorry, but "shower scene" and "Dilbert" do not belong anywhere near each other.

I had an involuntary mental image that it'd be like the shower scene from Starship Troopers but with the Dilbert characters, and then I threw up a little bit...

Re:Dilbert would be proud

Sounds like your brain is vulnerable to relatively unsophisticated hacks. You should probably look into that.

autotune required

[jickerson]

The commands can be keyed in using touchtones or even using the human voice.

To bad i'm very much tone deaf

Cap'n Crunch

[rueger]

Wow - surely you could find a way to work in a Cap'n Crunch whistle?

Use a Sponge Bob Happy Meal toy

[srussia]

To bad i'm very much tone deaf

Get all the details in next quarter's 2600!

Who cares? Phone service serves no purpose

[gelfling]

Seriously, phone support? That's a waste of all time and effort. So is online chat support, email and talking to anyone in person if they even exist.

Re:Who cares? Phone service serves no purpose

[NatasRevol]

Everyone should have direct access to the databases!

Secret phrase

[PPH]

"All your PINs are belong to us!"

Re:Secret phrase

Tea. Earl grey. Hot.

Destruct sequence confirmed, Captain.

Re:Very Welcome Message

[seann]

buffer overflows etc

Re:Social engineering--PenTest?

[BoRegardless]

Penetration Testing?

Must not know of such things in India yet. Seriously behind China.

Windows!

[mccabem]

If humanity has any luck left this will spell the end of shitty automated phone systems (which is about 99.9% of them). With Windows as my bell weather, I'll not be holding my breath.

Really, Slashdot?

[korgitser]

Nobody reckognizes TFA as being about phreaking? You know, this kind of stuff dates back ages. Kevin Mitnick even had the superpower to whistle nuclear missiles into flight... True Story(TM).

seen it done. not new.

[gigne]

Working in the industry, and having to read low level logs all of the time, I see this frequently.
People will call up, wait for a silence, and after 500ms start pumping down DTMF signals. Often they do this with seemingly random patterns 3-4 times before giving up.
often times they retry promps with longer and longer strings. This is old news.

I am guessing there is a wardialler in ther that is looking for specific systems at the other end. Sort of known phreak attacks.

Weird things like this exist and have existed for a long time. Hardware and software suppliers check for this now. We routinely check for stuff link this in dev and QA.

The submitter is doing nothing new, nothing unknown or even clever. These sorts of phreaks are older than I am. meh.

Re:seen it done. not new.

[oodaloop]

Right. First thing I though of was the whistle from Capn Crunch.

Re:seen it done. not new.

[cffrost]

In the mid-1990s there was a DOS program called Code Thief, which would dial an 800* number, enter a telephone number known to be answered by modem (e.g., multi-line BBS), enter an authorization code (4-6 digits, IIRC), then keep a log of which codes resulted in successful connection.

* I don't know what these 800 numbers were exactly, but I was told they were intended to allow corporate business travelers to make LD calls from payphones/hotel phones at their employer's expense. The 800 numbers themselves were distributed via HPAVC BBSs and VMBs.

Re:seen it done. not new.

[gigne]

sometimes it is almost certainy this... the ones that clearly are not are the ones waiting for prompts.

Re:seen it done. not new.

[wmbetts]

One of my favorites was Toneloc.

example exchange

[goffster]

are em minus f slash root
Permission Denied
sudo are em minus f slash root
no home directory

Try this...

[ctrl-alt-canc]

At the voice prompt, yell "Format c" followed by "yes!".

Re:Try this...

[Frank+T.+Lofaro+Jr.]

You forgot the colon.

The elephant in the room - C

[Animats]

The problem remains the C language. C (and C++) is the only remaining major language prone to buffer overflows.

This can be fixed. See "Safe arrays and pointers for C through compatible additions to the language". This is a proposal for a "strict mode" for C which prevents buffer overflows. It's been discussed on Lambda the Ultimate, the C standard newsgroup, and the GCC development list, and with each round of criticisms, the design is tightened up.

This proposal includes a "strict mode", in which the rules are tighter, and ways to talk about the size of arrays. Non-strict code can call strict code, and vice versa. So there's a gentle migration path to all-strict programs, one source file at a time. It's an extension to C, not a new language. Some of the necessary features for this are already in C99 or are GCC extensions, so I'm trying to get this into GCC as an extension so it can be tried in the real world.

It's no longer acceptable to say that this problem can't be solved. It can. It just takes the will to solve it. Prodding from the security community will help.

Strict code is mostly about declarations. For example, the Linux "read" function, which is now declared int read(int fd, void* buf, size_t len); would be declared int read(size_t len; int fd, void_space (buf&)[len], size_t len); Instead of passing a pointer, you pass a reference to an array, a reference with an associated size. So the language knows how big the array is. Incidentally, the first "size_t len;" is a forward declaration of len. That's an existing but rarely used GCC extension. It's needed because so many C, UNIX, Linux, and POSIX APIs have the buffer param before the buffer size.

(For those few of you who know what a C99 variable length array parameter is, you'll wonder why this syntax differs from that. It's a long story. C99 VLA params are demoted to pointers at function entrance, losing the size info. It turns out nobody uses C99 VLA params; repeated searches have failed to find any of them in open source code. Also, Microsoft refused to implement them in Visual C/C++, they're incompatible with C++, and they've been demoted to an optional feature in the latest C standard draft.)

Buffer overflow?

[stubob]

Must have been talking to my mother-in-law.

Re:Social engineering--PenTest?

[AK+Marc]

China is confused on the subject. You mean you are supposed to pen test you own stuff, not just the competitors?

unfortunately they have your voice and phone #

[slashmydots]

The subject line basically says it all, lol. Yeah, yeah, yeah payphones and voice maskers...whatever lol. As if someone wouldn't hear you yelling SQL commands into a pay phone, lol.