Call-centers are using the CPN data as an authentication method to recognize customers. Call from somebody else's phone, or in this case appear to be doing so, and instantly that person's account will open on the operator's screen.
Banks and credit card companies seem to be smart enough to know that they have to ask some other challenge question to make themselves confident enough that they have the right person before discussing anything sensitve... but it just take one merchant willing to charge to an account and ship merchandise based on the the phone data alone and suddenly there's a way to get a charge onto somebody's credit account without even knowing their card number.
It's a matter of "trust", and a formerly trustworthy system no not so much.
This isn't an open source issue at all. It's a "trusting user provided equipment" mistake... a closed source program can violate the standard just as badly.
It's a matter of equipment being given info it's not supposed to share and a flag telling it not to share. But, if the customer provides the software...
Our current PTSN works as well as it does because it's regulated... and this is just more one example of how VoIP companies won't implement correctly things they aren't required to implement correctly.
As the summary and article point out, in order for any of these exploits to work, the VoIP carrier must be permissive... they have to be asleep at the switch enough to send data that is marked "private" to the end user's equipment or accept CPN data isn't a number the customer controls. That should be things handled at the VoIP service side rather than anything on customer equipment that can't be trusted.
The FCC would never tolerate an old-line phone company selling a service that lets people lie to caller ID... why are they letting VoIP companies do it?
The icon hair color changes from dark to gray in order to indicate that the statuses aren't going to be queried in advance of the user wanting to see details on the group... it's not really an easter egg, it's a feature. Gray is the color in the computer world to indicate such inactive states, isn't it?
Any device that can store data on it could be the corperate secrets walking out the door. USB watch/keychain, iPod, CD-R... Nobody should be bringing those in or out of a "secure area" without authorization, otherwise those secrets could be headed to the outside world and not so secret anymore.
The Discovery Channel series American Casino has already shown several situations where the security staff of the casino being covered has read from a card they keep in their pockets to unwanted customers a legal notice that tell them that they're now on notice that if they ever show up on their property again they'll be in violation of tresspassing laws.
That's not a section that specifically applies to casinos, anybody can tell anybody else they're not welcome on their property that way.
There'd be nothing illegal about programming the store computer to detect the phone number or credit card of people who have more-frequent-than usual claims against the "purchase protection plan" schemes and then make sure to forget to prompt the salesperson to try to pitch the scheme to such people... or for that mater, raising the price for such people if they want that plan.
It's only illegal descrimination when you're manipulating prices or offers based on the so called "protected classes" mentioned in the laws. "One who frequently breaks stuff" is not such a class...
And overpriced stores have always counted by marking double the going rate on items during the peak holiday season knowing full well that the items won't sell at that price, just so they can slap a "50% off" sticker on a item that's at it's real normal price during the post-holiday sale.
Stores have always been looking for ways to catch such sale-only shoppers and make them buy something profitable...
Rebates are not done just for the fact that some people won't claim them...
They're also done as a limiting mechanism for loss-leader items. If they want to reduce the price of an item to less than cost, they most likely want to make sure you can only claim that deal once... and that's where a rebate with "limit 1 per household" kicks in. Sure, some people might use two mailing addresses to get it twice, but nobody's going to be able to grab 20 of the item and get the post-rebate price.
Funny, my site got more than quaduple it's usual traffic today and I didn't have a problem... then again, a normal day for me isn't anywhere close to 1/4 of a slashdotting...
An important concept that comes into play from the bean counters is "time value of money"... that is, the investors in the film want their millions back ASAP because even if the film gives them more money back, that has to be compared to how much their capital would have made had it been invested in something else or just sitting in a bank.
In short, giving up that director's fee had to equate to the interest the investor's money would have made over the six-month delay, or the bean counters woulda vetoed it.
I just feel sorry for the website admins at moviemistakes.com who are gonna have to clean their database out from these kind of troll jokes after being slashdotted...
Getting a feature film to be internally consistant with itself is not as easy as it seems, and it only gets harder the more shoots and scenes there are.
But there's always a chance to catch these things in editing... in fact, that scar mistake was most likely introduced when somebody took a mirror image of a shot for some reason or another, and forgot that it'd end up reversing the side of the face the scar appears. Sure, that could be fixed in editing, but if they forgot to do it... well, it ends up on that site.
Seems like the bigger the film, the more of these glitches surface as they rush to the box office.
No, right now I'm the only person who controls the questions in the game.
However, there game is constantly rotating questions in and out of play so that it's a completely different experience every time you come back to it. Bookmark it and see for yourself in a few hours...
In a "restricted area", usually the military doesn't want any electronics device that they don't control going in. Cans of Coke are tolerated, but cell phone links to the civilian world aren't...
Besides, even if you had a winning can on a military base, it's not like Coca-Cola's Prize Patrol is going to be able to deliver your SUV to you on the base... they most likely won't be allowed in.
This goes right next to the cases of people who get fired for bringing their new cell phone to work because their office is a security-tight "no camera zone" and their new phone just happens to be a cameraphone model.
Yes, it's an overparanoid reaction, but it's one that was promised for people who bring in a threat to the security even if they didn't do it on purpose.
For those outside of the USA... today's not a business day here because the "4th of July" proper fell on a Sunday, so today is effectively running on a weekend schedule for most things. That's most of the reason why there's not much news coming out today...
Sometimes, the military doesn't like the location of troops being revealed to anybody. They ban all cell phones and GPS devices that they don't control from being with such groups.
So, should a "winning" can be brought on such a mission, you've got a security hole... sure, the message is encrypted so that only Coca-Cola Prize Patrol knows where you are and hears what you say to them, but Coca-Cola Prize Patrol doesn't have security clearance now, do they?
Your car most likely trigged whenever it heard a wrong sequence on its frequency, figuring that somebody was trying to steal the car by trying to guess the code.
When the air-show came to town, there's usually some military aircraft included in the group whose favorite comminication frequency just happens to be the one your car alarm is tuned to.
Therefore, the car alarm thinks it's always being challenged by the random noise that is really the pilots talking to each other...
Being the "primary users" of bandwidth space gives you the right to jam out everybody else... "secondary users" are those whose use is tolerated but they must accept any interference from the primary users and shutdown if they're bothering any primary user.
The car entry system makers picked a frequency that belonged to the military as the primary user... they can't really complain when the military comes to town and wants to use their channel.
As the article points out, some cars are designed in such a way that even if you could get inside the car with the old fashioned key, the engine would be locked unless you transmitted the unlock signal within seconds of trying to start the car. Therefore, even if they could get in it wouldn't do them much good.
The cause of the problem is rather clear... keyless systems are Part 15-compliant flea power devices, and their makers have decided to pick radio frequencies used by the military. Since those frequencies are rarely used in most civilian areas, that bandwidth is usually in the clear. However, when a military ship is coming home, that's the frequency band most likely to be used to communicate with the base, and that's where the trouble starts...
Why don't the car people put their systems on 900mHz, 2.4GHz, or 5.8GHz with the rest of the consumer device universe? They might have to deal with occasional interference from other things, but they can be assured that nobody will ever come in with a high-wattage use of that space that'll blow them out of the water.
Slashdot Mirror
Who's really that stupid? Big business.
Call-centers are using the CPN data as an authentication method to recognize customers. Call from somebody else's phone, or in this case appear to be doing so, and instantly that person's account will open on the operator's screen.
Banks and credit card companies seem to be smart enough to know that they have to ask some other challenge question to make themselves confident enough that they have the right person before discussing anything sensitve... but it just take one merchant willing to charge to an account and ship merchandise based on the the phone data alone and suddenly there's a way to get a charge onto somebody's credit account without even knowing their card number.
It's a matter of "trust", and a formerly trustworthy system no not so much.
This isn't an open source issue at all. It's a "trusting user provided equipment" mistake... a closed source program can violate the standard just as badly.
It's a matter of equipment being given info it's not supposed to share and a flag telling it not to share. But, if the customer provides the software...
Our current PTSN works as well as it does because it's regulated... and this is just more one example of how VoIP companies won't implement correctly things they aren't required to implement correctly.
As the summary and article point out, in order for any of these exploits to work, the VoIP carrier must be permissive... they have to be asleep at the switch enough to send data that is marked "private" to the end user's equipment or accept CPN data isn't a number the customer controls. That should be things handled at the VoIP service side rather than anything on customer equipment that can't be trusted.
The FCC would never tolerate an old-line phone company selling a service that lets people lie to caller ID... why are they letting VoIP companies do it?
The icon hair color changes from dark to gray in order to indicate that the statuses aren't going to be queried in advance of the user wanting to see details on the group... it's not really an easter egg, it's a feature. Gray is the color in the computer world to indicate such inactive states, isn't it?
Any device that can store data on it could be the corperate secrets walking out the door. USB watch/keychain, iPod, CD-R... Nobody should be bringing those in or out of a "secure area" without authorization, otherwise those secrets could be headed to the outside world and not so secret anymore.
The Discovery Channel series American Casino has already shown several situations where the security staff of the casino being covered has read from a card they keep in their pockets to unwanted customers a legal notice that tell them that they're now on notice that if they ever show up on their property again they'll be in violation of tresspassing laws.
That's not a section that specifically applies to casinos, anybody can tell anybody else they're not welcome on their property that way.
There'd be nothing illegal about programming the store computer to detect the phone number or credit card of people who have more-frequent-than usual claims against the "purchase protection plan" schemes and then make sure to forget to prompt the salesperson to try to pitch the scheme to such people... or for that mater, raising the price for such people if they want that plan.
It's only illegal descrimination when you're manipulating prices or offers based on the so called "protected classes" mentioned in the laws. "One who frequently breaks stuff" is not such a class...
And overpriced stores have always counted by marking double the going rate on items during the peak holiday season knowing full well that the items won't sell at that price, just so they can slap a "50% off" sticker on a item that's at it's real normal price during the post-holiday sale.
Stores have always been looking for ways to catch such sale-only shoppers and make them buy something profitable...
Rebates are not done just for the fact that some people won't claim them...
They're also done as a limiting mechanism for loss-leader items. If they want to reduce the price of an item to less than cost, they most likely want to make sure you can only claim that deal once... and that's where a rebate with "limit 1 per household" kicks in. Sure, some people might use two mailing addresses to get it twice, but nobody's going to be able to grab 20 of the item and get the post-rebate price.
Funny, my site got more than quaduple it's usual traffic today and I didn't have a problem... then again, a normal day for me isn't anywhere close to 1/4 of a slashdotting...
An important concept that comes into play from the bean counters is "time value of money"... that is, the investors in the film want their millions back ASAP because even if the film gives them more money back, that has to be compared to how much their capital would have made had it been invested in something else or just sitting in a bank.
In short, giving up that director's fee had to equate to the interest the investor's money would have made over the six-month delay, or the bean counters woulda vetoed it.
I just feel sorry for the website admins at moviemistakes.com who are gonna have to clean their database out from these kind of troll jokes after being slashdotted...
Especially the shortcomings of those who have more money than we will ever see in our own lifetimes to spend on making a simple 2-hour-ish film...
Getting a feature film to be internally consistant with itself is not as easy as it seems, and it only gets harder the more shoots and scenes there are.
But there's always a chance to catch these things in editing... in fact, that scar mistake was most likely introduced when somebody took a mirror image of a shot for some reason or another, and forgot that it'd end up reversing the side of the face the scar appears. Sure, that could be fixed in editing, but if they forgot to do it... well, it ends up on that site.
Seems like the bigger the film, the more of these glitches surface as they rush to the box office.
No, right now I'm the only person who controls the questions in the game.
However, there game is constantly rotating questions in and out of play so that it's a completely different experience every time you come back to it. Bookmark it and see for yourself in a few hours...
Basic infromation warfare...
- You want to know what the enemy knows.
- You want to make sure the enemy doesn't know what you know.
It's all about intercepting the enemy's communications, and making sure that can't intercept yours.
In a "restricted area", usually the military doesn't want any electronics device that they don't control going in. Cans of Coke are tolerated, but cell phone links to the civilian world aren't...
Besides, even if you had a winning can on a military base, it's not like Coca-Cola's Prize Patrol is going to be able to deliver your SUV to you on the base... they most likely won't be allowed in.
This goes right next to the cases of people who get fired for bringing their new cell phone to work because their office is a security-tight "no camera zone" and their new phone just happens to be a cameraphone model.
Yes, it's an overparanoid reaction, but it's one that was promised for people who bring in a threat to the security even if they didn't do it on purpose.
For those outside of the USA... today's not a business day here because the "4th of July" proper fell on a Sunday, so today is effectively running on a weekend schedule for most things. That's most of the reason why there's not much news coming out today...
Sometimes, the military doesn't like the location of troops being revealed to anybody. They ban all cell phones and GPS devices that they don't control from being with such groups.
So, should a "winning" can be brought on such a mission, you've got a security hole... sure, the message is encrypted so that only Coca-Cola Prize Patrol knows where you are and hears what you say to them, but Coca-Cola Prize Patrol doesn't have security clearance now, do they?
Your car most likely trigged whenever it heard a wrong sequence on its frequency, figuring that somebody was trying to steal the car by trying to guess the code.
When the air-show came to town, there's usually some military aircraft included in the group whose favorite comminication frequency just happens to be the one your car alarm is tuned to.
Therefore, the car alarm thinks it's always being challenged by the random noise that is really the pilots talking to each other...
But this is one case where we don't want the tin foil hat to block a signal... we want our signals to work!
Being the "primary users" of bandwidth space gives you the right to jam out everybody else... "secondary users" are those whose use is tolerated but they must accept any interference from the primary users and shutdown if they're bothering any primary user.
The car entry system makers picked a frequency that belonged to the military as the primary user... they can't really complain when the military comes to town and wants to use their channel.
As the article points out, some cars are designed in such a way that even if you could get inside the car with the old fashioned key, the engine would be locked unless you transmitted the unlock signal within seconds of trying to start the car. Therefore, even if they could get in it wouldn't do them much good.
The cause of the problem is rather clear... keyless systems are Part 15-compliant flea power devices, and their makers have decided to pick radio frequencies used by the military. Since those frequencies are rarely used in most civilian areas, that bandwidth is usually in the clear. However, when a military ship is coming home, that's the frequency band most likely to be used to communicate with the base, and that's where the trouble starts...
Why don't the car people put their systems on 900mHz, 2.4GHz, or 5.8GHz with the rest of the consumer device universe? They might have to deal with occasional interference from other things, but they can be assured that nobody will ever come in with a high-wattage use of that space that'll blow them out of the water.