If you want to get sued when someone picks up your phone and dials 911 during an emergency.. Does a sticker really prevent liability (this phone isn't connected to 911)?
Congress passed a law requiring US based ITSP's to provide E911 support. If this idea ever went live it would require the same connections to E911. This connection costs money, its not free...
GNU VoIP would have to pay Verizon/Comcast/et cetera to connect to E911 and who is going to pay for that?
Unless congress provides an exemption.. (pfft, yahh)
I thought the box near my garbage can that said "Mossberg" on it and the 3 empty 50lb bags of dog food were enough? Is my "NRA Inside means you stay out" sticker on my window just for good measure? Stupid crooks like these guys think they're smarter then they are typically die whimpering.. alone.. on my kitchen floor.. and if they don't die fast enough I'll smother them with the book of Job for good measure.
If that doesn't work I think Monday Night Redemption is OK too...
Long live the Castle Doctrine!!
Some crypto junkies talk about distress keys. Where a user can enter two different keys depending on the situation. The real key loads the real OS. The distress key loads the "fake" OS. There are many ways to detect this in modern experiments. None will work without manipulating low level HD blocking.
I disagree. Unit tests are only as good as the author of the code.
I like fuzzing. So if I were to unit test my own code I would try millions of possibilities.
"Too bad" I just break and not make software.
I've written both ASCII and Binary fuzzers. Binary is harder.
My ASCII fuzzer found over 10 million possible mutations while the Binary fuzzer found less then a million.
If I had to argue with myself maybe I should have said "harder to write a successful fuzzer".
Seems to me that ASCII delimited protocols always have these types of issues.
Its quite easy to write fuzzers for human readable protocols compared to binary encoded protocols.
Too bad these developers don't know how to write good unit tests... This could have been avoided..
You make an interesting point.
The idea of a secure P2P private networks still doesn't sit well with me. The insider threat can still act as the attacker and remove data from their assigned facility. None the less, business requirements "are" business requirements.
"Its not the technology that's the problem", its how easy it is to abuse.
So, the idea was to load "sleeper" software by default on all these machines? Is the URL associated with this "service" always at the same memory location? It shouldn't be that hard for a Malware author to check for this BIOS and try to change the address.
Who feels like being monitored by criminals? 10% off sale price?
Maybe, maybe not. When was the last time you hear a telecommunications company update their software within a reasonable time frame? It would just be easier and cheaper for the phones to get updated.
So the phone manufactures will blame the telcoms while the telcoms will blame the manufactures. I can see where this is going...
I saw this one coming. Some cell phones cannot distinguish between a moble provider sending binary encoded XML enabled SMS messages or an attacker through an SMS gateway. Amateur security model/practices.
I do not consider wire transfer services such as SWIFT a P2P technology. I wouldn't call a network of Morse code operators using telegraph lines P2P either. Getting into a semantic discussion won't solve anything though.
If one were to distinguish PUBLIC P2P v. PRIVATE P2P I would say neither are secure. An internal P2P network could be easily exploited by a rouge insider.
Simply stated, the government and military contractors should proactively block all P2P traffic or risk heavy fines and potential termination of employment or funding.
Banning or simply ensuring employees that they will be terminated in the event you use P2P software is a good idea.
Financial Institutions already enforce strict policies regarding P2P software. Notice we haven't heard of a bank getting P2P'd lately?
This is probably worded in way that you can understand.
"In fact, it would take little more than a cable modem to deny service to large metropolitan areas in the U.S. For example, a city the size of Washington, D.C., could be taken out by a DoS attack with a bandwidth of about 2.8 megabits per second, they said."
It doesn't have to be that complicated.
A single person with a cable connection can knock out a small area code. First, make a list of all valid cell phone numbers. Second, determine each phone numbers specific provider. Third, determine the email address for all valid numbers. Finally, email bomb all the numbers in a random order with a multi-threaded tool. SMS Carpet Bombing persay.
Rule #1, an increase in attack surface area will increase the likelihood of an attacker targeting said technology. If the software is, as YayaY stated, so fragile and providers don't shape up then we're all f'd big time.
Consideration #1, Wireshark has supported GSM stacks for a few years. Nokia has had unlocked phones for some time. gnuRadio allows for cellular communications development. Considering an unlocked iPhone isn't the only means to access cellular signaling information this probably would have happened already.
My vote, its a ploy to keep iPhone users locked in.
Slashdot Mirror
First implication that comes to mind is...
If you want to get sued when someone picks up your phone and dials 911 during an emergency.. Does a sticker really prevent liability (this phone isn't connected to 911)?
Congress passed a law requiring US based ITSP's to provide E911 support. If this idea ever went live it would require the same connections to E911. This connection costs money, its not free...
GNU VoIP would have to pay Verizon/Comcast/et cetera to connect to E911 and who is going to pay for that?
Unless congress provides an exemption.. (pfft, yahh)
Whats the difference between police mugshots and facebook mugshots? I wouldn't think much..
I thought the box near my garbage can that said "Mossberg" on it and the 3 empty 50lb bags of dog food were enough? Is my "NRA Inside means you stay out" sticker on my window just for good measure? Stupid crooks like these guys think they're smarter then they are typically die whimpering.. alone.. on my kitchen floor.. and if they don't die fast enough I'll smother them with the book of Job for good measure. If that doesn't work I think Monday Night Redemption is OK too... Long live the Castle Doctrine!!
Some crypto junkies talk about distress keys. Where a user can enter two different keys depending on the situation. The real key loads the real OS. The distress key loads the "fake" OS. There are many ways to detect this in modern experiments. None will work without manipulating low level HD blocking.
http://images2.wikia.nocookie.net/familyguy/images/4/4a/Seamus1.JPG Family guy was up to something...
And a 2 year old is pretty damn smart!!
I use Wireshark or custom monitoring tools and not TCPDump. http://video.google.com/videoplay?docid=4204600308807371535&hl=en "Automated Web-based Malware Behavioral Analysis" from the OWASP AppSec conference circa 2008.
I disagree. Unit tests are only as good as the author of the code. I like fuzzing. So if I were to unit test my own code I would try millions of possibilities. "Too bad" I just break and not make software.
I hope your not a developer... http://en.wikipedia.org/wiki/Unit_testing
I've written both ASCII and Binary fuzzers. Binary is harder. My ASCII fuzzer found over 10 million possible mutations while the Binary fuzzer found less then a million. If I had to argue with myself maybe I should have said "harder to write a successful fuzzer".
Seems to me that ASCII delimited protocols always have these types of issues. Its quite easy to write fuzzers for human readable protocols compared to binary encoded protocols. Too bad these developers don't know how to write good unit tests... This could have been avoided..
You make an interesting point. The idea of a secure P2P private networks still doesn't sit well with me. The insider threat can still act as the attacker and remove data from their assigned facility. None the less, business requirements "are" business requirements. "Its not the technology that's the problem", its how easy it is to abuse.
So, the idea was to load "sleeper" software by default on all these machines? Is the URL associated with this "service" always at the same memory location? It shouldn't be that hard for a Malware author to check for this BIOS and try to change the address. Who feels like being monitored by criminals? 10% off sale price?
Maybe, maybe not. When was the last time you hear a telecommunications company update their software within a reasonable time frame? It would just be easier and cheaper for the phones to get updated. So the phone manufactures will blame the telcoms while the telcoms will blame the manufactures. I can see where this is going...
You forgot nokia, symbian and all the other SMS stacks out there.
http://www.blackhat.com/presentations/bh-europe-09/Gassira_Piccirillo/BlackHat-Europe-2009-Gassira-Piccirillo-Hijacking-Mobile-Data-Connections-whitepaper.pdf The weakest link is always exploited first. Trust nothing.
I saw this one coming. Some cell phones cannot distinguish between a moble provider sending binary encoded XML enabled SMS messages or an attacker through an SMS gateway. Amateur security model/practices.
I do not consider wire transfer services such as SWIFT a P2P technology. I wouldn't call a network of Morse code operators using telegraph lines P2P either. Getting into a semantic discussion won't solve anything though. If one were to distinguish PUBLIC P2P v. PRIVATE P2P I would say neither are secure. An internal P2P network could be easily exploited by a rouge insider. Simply stated, the government and military contractors should proactively block all P2P traffic or risk heavy fines and potential termination of employment or funding.
I forgot about that!!! There is no firewall with enough throughput to shut him up.
The data must be unencrypted to access the information. Mission critical data is useless if its always encrypted.
Banning or simply ensuring employees that they will be terminated in the event you use P2P software is a good idea. Financial Institutions already enforce strict policies regarding P2P software. Notice we haven't heard of a bank getting P2P'd lately?
This is probably worded in way that you can understand.
"In fact, it would take little more than a cable modem to deny service to large metropolitan areas in the U.S. For example, a city the size of Washington, D.C., could be taken out by a DoS attack with a bandwidth of about 2.8 megabits per second, they said."
http://www.pcworld.com/article/122878/sms_attack_could_harm_cell_phones.html
And.. You should read the section titled "Seperation of Voice and Data" (as well the whole document) from the researchers at Penn.
"Even if a provider rationalized the expense, the elevated provisioning merely makes DoS attacks more difficult but not im-possible"
http://www.smsanalysis.org/smsanalysis.pdf
This research paper is 4 years old! How long has it been since you left your parents basement?
Bullcrap yourself friendo.
It doesn't have to be that complicated. A single person with a cable connection can knock out a small area code. First, make a list of all valid cell phone numbers. Second, determine each phone numbers specific provider. Third, determine the email address for all valid numbers. Finally, email bomb all the numbers in a random order with a multi-threaded tool. SMS Carpet Bombing persay.
Rule #1, an increase in attack surface area will increase the likelihood of an attacker targeting said technology. If the software is, as YayaY stated, so fragile and providers don't shape up then we're all f'd big time.
Consideration #1, Wireshark has supported GSM stacks for a few years. Nokia has had unlocked phones for some time. gnuRadio allows for cellular communications development. Considering an unlocked iPhone isn't the only means to access cellular signaling information this probably would have happened already.
My vote, its a ploy to keep iPhone users locked in.