Security through obscurity.

Nov 6 05:28 UTC 1999

Called in on an emergency by a fellow member of my cohort.  A 'business
partner' sort of bailed out on an install.  Anyway, yesterday I visited
a 'secure computing location' that make's IBM's banking facility (with
armed wackyhunk guards) (where I spent a few months this summer - major
'names' that most anyone knows...) look like, well, like kindergarten? 
Unbelievable.  Like something out of the X-files.  Flew into 'town'. 
Met up with "John Fuji" at the airport and proceeded to drive to an
intersection where we were instructed to call a phone number (a
cell-phone) to get further directions.  (apparently 'they' will not send
directions to their site out over the Internet via e-mail.)  Drive per
the directions to a building where strips of duct tape cover the name on
the signs in the parking lot (why have signs in the first place?)  I
could tell a couple blocks away that the building was probably where we
were headed from the large size and number of air-conditioning units on
the roof, and in the parking lot yet to be installed.  Arrived at the
front door, an intercom conversation with somebody allowed us into the
'reception area' where only one of us was on the list for 'access'.  Got
paged from Florida (where a university is in 'crisis') and I asked to
use a telephone.  A portable phone was offered through the bank-teller
like security window (just for grins I also called home where on my
caller ID it showed up as some person judging from the line quality they
hide their pbx bt call-forwarding through other numbers).  Finally,
after a half-hour or so of lots of activity (all billable to them) we
were issued badges (after signing 'non-disclosure agreement' of which
they gave us the original and kept the carbon copy (??).  To get into
the 'holding area' and then into the 'machine floor' and directed to
'cage XX' where we had to search just about all 'cages' as they were not
in any particular order until we found 'cage XX' where the machines we
were to work on were.  Big steel mesh 10x10 cages with the vedor logo of
the lock drilled out (steelcase, I recognize it) separate each
'facility' from another (no cage over the roof, all you gotta do is
climb over - but all the cameras 'prevent' that.)  There we found our
systems to perform majic on - all directly connected to the Internet
with no firewalls or security installed as 'it had not arrived yet'... 
Discovered that the routers were 'misconfigured' -set up wrong - for the
subnet the ultimate customer was allocated and they told the customer
the wrong subnet mask.  (took two days to confirm that as everything is
'secret').  Nor were there DNS entries set up.  (Not to mention no DNS
entries for about the last 3 routers to that network if you did a
traceroute.)  

The 'site' is apparently a major 'co-location' vendor where you as an
'entity' can pay lots of money to have your 'web site' in a 'secure
location' - they couldn't tell us about 'backups' as it was 'proprietary
information' but its not currently available -even tho- these guys are
looking at an 11/15 'product launch'  (guess what, you are gonna miss
your deadline). 

Stopped at the 7/11 to grab a pepsi on the way back to the airport and
asked the clerk if she knew anything about the 'secret site' and
discribed it and she said 'oh, yah, those assholes - and gave me the
company name - buncha yankees think they know everything'.  Said her
cousin works there and steals 'old' 8-mm tapes (backup tapes) to use in
his 8-mm videocamera.

response 2 of 91:

Nov 6 06:18 UTC 1999

*cries laughing*

response 4 of 91:

Nov 6 13:40 UTC 1999

Oh my.  :)

response 6 of 91:

Nov 9 06:36 UTC 1999

As part of an Information Security Research Centre, this scenario is all too
typical out there.  

response 8 of 91:

Nov 11 18:13 UTC 1999

A friend of mine is working on a way for his company to comply with new
federal regulations requiring that the location of cell phones be identifiable
(by the caller) within 100 feet.  They are using GPS.  Would carrier pigeons
be more secret?

response 10 of 91:

Nov 11 21:04 UTC 1999

The first scheme tried for identifying the location of cell phones was
by triangulation from at least three cell phone towers. I don't recall
how successful this has been. With GPS, the caller would wont to have
the location determined, because it is easy to mask a GPS antenna, and GPS
does not work among tall buildings, under tree cover, and in a number
of other situations, without quite special and bulky equipment. It can
be installed in cars and be pretty effective, however. 

I was just using a cheap GPS receiver in the woods under heavy cover and
getting 5 meter accuracy (actually, 2+ meters, as I also averaged), but I
had it equipped with a DGPS beacon receiver too. This would also be easy
to install in a car. 

response 12 of 91:

Nov 12 00:54 UTC 1999

Until you turn it off...

response 14 of 91:

Nov 12 02:54 UTC 1999

RE#11 -- If you're really that paranoid I feel sorry for you....(I can almost
guess your retort)

response 16 of 91:

Nov 12 05:33 UTC 1999

Uhm.  It apparently is news to some people that most all modern
cellphones cannot in fact be 'turned off' (unless you remove the
battery) and thus ....

response 18 of 91:

Nov 12 05:58 UTC 1999

The idea, at least as explained to the public, is that if people make
emergency 911 calls the dispatchers will be able to figure out where they are,
just like with wired phone calls to 911.  I can certainly see the application
for that, although ideologically such a feature would seem much better if
there were a way to selectively turn it off, or maybe make it so that it would
only report position while making a call to 911.

From the "big brother is watching you" standpoint, even without a feature to
pinpoint location within a few meters, the amoount of information available
to cellular companies if they choose to log it is pretty scary.  Even if they
don't have a way to triangulate your position, they've at the very least got
information on which cell you're in with your phone turned on at any given
time.  Whether it's logged or not, that information has to be sent around
their network so that incoming calls can get routed to the right place.  Given
access to debugging output from the cellular networks somebody might not be
able to tell what building I'm, but they'll be able to tell what neighborhood
I'm in, which direction I'm going in, and so forth.  They could figure when
I'm going to work or coming home from work, where I go on any trips I take,
and so forth.  They don't have to log that information (and it's reasonably
probable that they don't), but without that information at least being
transmitted around the network as it happens, the network won't work very
well.

response 20 of 91:

Nov 12 06:11 UTC 1999

Well, I am generally with my phone.  If I'm not, the phone probably isn't
moving.

response 22 of 91:

Nov 12 17:23 UTC 1999

And, I thought it was always the case that a communications device emitting
EM could be located by triangulating on the signal.

response 24 of 91:

Nov 13 05:22 UTC 1999

Re #18:  Transmitting the location of the phone isn't necessary.
All you'd really have to do is transmit the fact that the phone
is being rung to the cells, and ask "Does anyone have contact
with this phone?"  It wouldn't take long for a cell to go through
the list of the phones it can hear and get a yes/no answer, and
it avoids having to make a central list of phones and locations.
The only cells that really have to know where a phone is, while
it's not making a call, are the ones which can hear it.  That
information doesn't need to go anywhere else.
 
Of course, it isn't done that way.
 
The "need" to locate cellphones for 911 service is another red
herring.  It wasn't long ago that people had to give their street
addresses when they called the police.  Now the service address
can be looked up automatically from the records, but this was
not a serious handicap to law enforcement before it came about.
 
The current law effectively mandates that every cell phone can
be tracked to within a couple hundred feet, every second that
it is in touch with the network.  This can be done by time-of-
arrival of signals at different receivers.  This is not very
difficult to do cheaply; it's how GPS receivers work.  And the
net result is that all Americans will lose a lot of privacy.
 
What's the impact?  Think of the possibilities for political
dirty tricks.  Most reporters carry cell phones, as do many
other people.  Now think of what a pol could do with the ability
to track the movements of a reporter digging dirt on them.  They
could watch who was visiting whom when, and have a chance to
lean on the people with the crucial knowledge to shut them up.
 
This is being sold to the public as a "safety" measure, because
there have been one or two incidents where a vehicle couldn't
be located immediately.  What we're getting is J. Edgar Hoover's
wet dream.  I don't like it one bit; it shouldn't be mandated,
it should be outlawed.  Some information should not be allowed
to be collected, by law.  This falls into that category.