Called in on an emergency by a fellow member of my cohort.  A 'business
partner' sort of bailed out on an install.  Anyway, yesterday I visited
a 'secure computing location' that make's IBM's banking facility (with
armed wackyhunk guards) (where I spent a few months this summer - major
'names' that most anyone knows...) look like, well, like kindergarten? 
Unbelievable.  Like something out of the X-files.  Flew into 'town'. 
Met up with "John Fuji" at the airport and proceeded to drive to an
intersection where we were instructed to call a phone number (a
cell-phone) to get further directions.  (apparently 'they' will not send
directions to their site out over the Internet via e-mail.)  Drive per
the directions to a building where strips of duct tape cover the name on
the signs in the parking lot (why have signs in the first place?)  I
could tell a couple blocks away that the building was probably where we
were headed from the large size and number of air-conditioning units on
the roof, and in the parking lot yet to be installed.  Arrived at the
front door, an intercom conversation with somebody allowed us into the
'reception area' where only one of us was on the list for 'access'.  Got
paged from Florida (where a university is in 'crisis') and I asked to
use a telephone.  A portable phone was offered through the bank-teller
like security window (just for grins I also called home where on my
caller ID it showed up as some person judging from the line quality they
hide their pbx bt call-forwarding through other numbers).  Finally,
after a half-hour or so of lots of activity (all billable to them) we
were issued badges (after signing 'non-disclosure agreement' of which
they gave us the original and kept the carbon copy (??).  To get into
the 'holding area' and then into the 'machine floor' and directed to
'cage XX' where we had to search just about all 'cages' as they were not
in any particular order until we found 'cage XX' where the machines we
were to work on were.  Big steel mesh 10x10 cages with the vedor logo of
the lock drilled out (steelcase, I recognize it) separate each
'facility' from another (no cage over the roof, all you gotta do is
climb over - but all the cameras 'prevent' that.)  There we found our
systems to perform majic on - all directly connected to the Internet
with no firewalls or security installed as 'it had not arrived yet'... 
Discovered that the routers were 'misconfigured' -set up wrong - for the
subnet the ultimate customer was allocated and they told the customer
the wrong subnet mask.  (took two days to confirm that as everything is
'secret').  Nor were there DNS entries set up.  (Not to mention no DNS
entries for about the last 3 routers to that network if you did a
traceroute.)  

The 'site' is apparently a major 'co-location' vendor where you as an
'entity' can pay lots of money to have your 'web site' in a 'secure
location' - they couldn't tell us about 'backups' as it was 'proprietary
information' but its not currently available -even tho- these guys are
looking at an 11/15 'product launch'  (guess what, you are gonna miss
your deadline). 

Stopped at the 7/11 to grab a pepsi on the way back to the airport and
asked the clerk if she knew anything about the 'secret site' and
discribed it and she said 'oh, yah, those assholes - and gave me the
company name - buncha yankees think they know everything'.  Said her
cousin works there and steals 'old' 8-mm tapes (backup tapes) to use in
his 8-mm videocamera.

91 responses total.

Jaysus, Mary, and Joseph.

*cries laughing*

I take it these guys had not heard of the phrase "security through
obscurity"?

Oh my.  :)

Heh!

As part of an Information Security Research Centre, this scenario is all too
typical out there.  

Let me guess...  Exodus?

A friend of mine is working on a way for his company to comply with new
federal regulations requiring that the location of cell phones be identifiable
(by the caller) within 100 feet.  They are using GPS.  Would carrier pigeons
be more secret?

  Within 100 feet?  Unlikely..

The first scheme tried for identifying the location of cell phones was
by triangulation from at least three cell phone towers. I don't recall
how successful this has been. With GPS, the caller would wont to have
the location determined, because it is easy to mask a GPS antenna, and GPS
does not work among tall buildings, under tree cover, and in a number
of other situations, without quite special and bulky equipment. It can
be installed in cars and be pretty effective, however. 

I was just using a cheap GPS receiver in the woods under heavy cover and
getting 5 meter accuracy (actually, 2+ meters, as I also averaged), but I
had it equipped with a DGPS beacon receiver too. This would also be easy
to install in a car. 

"All the better to track and control you with, my dearie."

Until you turn it off...

For *now* you can turn it off.  It'll probably become a mandatory "Feature"
eventually, like the laws that force phone companies to make wiretapping as
easy as possible.

RE#11 -- If you're really that paranoid I feel sorry for you....(I can almost
guess your retort)

Who is the "caller"?  Do you mean that if I call my sister, I can find out
where she is?  Even if she doesn't want me to know?

Uhm.  It apparently is news to some people that most all modern
cellphones cannot in fact be 'turned off' (unless you remove the
battery) and thus ....

What isn't "turned off"? Mine is deaf and dumb (and if it weren't, and
there is a bug tracing you from it, you just need to keep it in a
shielded case - but I'll bet it will never come to that).

The idea, at least as explained to the public, is that if people make
emergency 911 calls the dispatchers will be able to figure out where they are,
just like with wired phone calls to 911.  I can certainly see the application
for that, although ideologically such a feature would seem much better if
there were a way to selectively turn it off, or maybe make it so that it would
only report position while making a call to 911.

From the "big brother is watching you" standpoint, even without a feature to
pinpoint location within a few meters, the amoount of information available
to cellular companies if they choose to log it is pretty scary.  Even if they
don't have a way to triangulate your position, they've at the very least got
information on which cell you're in with your phone turned on at any given
time.  Whether it's logged or not, that information has to be sent around
their network so that incoming calls can get routed to the right place.  Given
access to debugging output from the cellular networks somebody might not be
able to tell what building I'm, but they'll be able to tell what neighborhood
I'm in, which direction I'm going in, and so forth.  They could figure when
I'm going to work or coming home from work, where I go on any trips I take,
and so forth.  They don't have to log that information (and it's reasonably
probable that they don't), but without that information at least being
transmitted around the network as it happens, the network won't work very
well.

Well, yes, they know where *your phone* is....sorta. 

Well, I am generally with my phone.  If I'm not, the phone probably isn't
moving.

Heh.  Of course in the free old days, we only had wired phones which could
be located down to the square foot (payphone bolted down).  

And, I thought it was always the case that a communications device emitting
EM could be located by triangulating on the signal.

Only if the receiving equipment has an antenna that is highly directional,
which is not usually the case with cell phone antennas.

Re #18:  Transmitting the location of the phone isn't necessary.
All you'd really have to do is transmit the fact that the phone
is being rung to the cells, and ask "Does anyone have contact
with this phone?"  It wouldn't take long for a cell to go through
the list of the phones it can hear and get a yes/no answer, and
it avoids having to make a central list of phones and locations.
The only cells that really have to know where a phone is, while
it's not making a call, are the ones which can hear it.  That
information doesn't need to go anywhere else.
 
Of course, it isn't done that way.
 
The "need" to locate cellphones for 911 service is another red
herring.  It wasn't long ago that people had to give their street
addresses when they called the police.  Now the service address
can be looked up automatically from the records, but this was
not a serious handicap to law enforcement before it came about.
 
The current law effectively mandates that every cell phone can
be tracked to within a couple hundred feet, every second that
it is in touch with the network.  This can be done by time-of-
arrival of signals at different receivers.  This is not very
difficult to do cheaply; it's how GPS receivers work.  And the
net result is that all Americans will lose a lot of privacy.
 
What's the impact?  Think of the possibilities for political
dirty tricks.  Most reporters carry cell phones, as do many
other people.  Now think of what a pol could do with the ability
to track the movements of a reporter digging dirt on them.  They
could watch who was visiting whom when, and have a chance to
lean on the people with the crucial knowledge to shut them up.
 
This is being sold to the public as a "safety" measure, because
there have been one or two incidents where a vehicle couldn't
be located immediately.  What we're getting is J. Edgar Hoover's
wet dream.  I don't like it one bit; it shouldn't be mandated,
it should be outlawed.  Some information should not be allowed
to be collected, by law.  This falls into that category.

Solution: don't use a cell phone.  If you *have* a legit business need
for one, use it with a pager, and don't turn it on when you don't have
to make a call.  Cell phone use is at insane levels...we don't need this
much communication...

Re #25: Analogy:  Let's say they put a chip in every car that transmitted
its exact position to the government, as well as its speed and the times it
was turned on and off.  You could say, 'Oh, it's not an invasion of privacy. 
Just don't use a car.  People should walk more anyway.'

The fact that you personally don't like cellular phones in no way means it's
okay for the government to track the exact location of all cellular phone
users.

Yeah, those On*Star commercials scare me, too.  I *really* don't want to be
tracked by the manufacturer just because it can.

Yup.  I'm waiting for the first case where police subpoena On*Star tracking
data.

It escapes me why one complains about the location of one's cell phone
being locateable when there was not a similar complaint about the
location of one's wire-line phone being known. No new invasion of privacy has
occurred. What it seems to be is a demand that a new level of privacy that
had not been available for the whole history of the telephone, until now,
be provided. I would not mind if that privacy were provided, but that
is a matter of working through the legislative process, and doesn't call
for paranoia.

Well, the location of my wire line phone stays static.  It shows the location
where I ordered a phone line to be installed more than a year ago.  It doesn't
track my movements.  It doesn't know whether I'm home or not, except when I'm
talking on it.  There's a pretty huge difference.

I tend to value my privacy a lot, at least in theory.  There's a lot of
information I consider personal, that I don't share with those who are not
very close friends.  There are various personal phone calls that I won't do
from work, because there's no sound proofing between my cubicle and the
neighboring cubicles.  I live alone, and am far more comfortable living alone
than I was living with other people, in part because it means there's nobody
else around to bother me, but also I think because I get a lot more privacy.
I'd be rather upset if I found that somebody I knew was reading my e-mail,
even though most of my e-mail doesn't say anything terribly personal.  Yet,
privacy when it comes to complete strangers concerns me a lot less.  I'mm
fully aware that some employee of my cellular phone company could probably
track my movements at least in a general sense, if they wanted to.  I know
that when I send e-mail across the Internet, I risk it being read by somebody
with a packet sniffer.  But why should I care?  The cell phone network person
probably had no idea who I am, and wouldn't find my locational data the least
bit interesting.  Ditto for some random person somewhere reading my mail with
a packet sniffer.  Even if they did go looking for that information (which
they're probably not doing), they'd be finding oinformation on what to them
was some random person, so it woudln't mean anything.  That's a very different
situation that somebody collecting data on me.  Or is it?  It feels to me like
it is.

Gee, people, if you are not doing anything wrong what do you have to
hide from your government?  (If you leave your cellphone turned off, the
battery goes dead.  Ever wonder why....?)  Oh, and Kevin Mitnick wasn't
caught with information from 'cell tower processors', although his
cellphone was on at the time (wouldn't have made all that much
difference had it been off....).

Mikep named a 'co-location' company name in a response above.  Offline
he described a number of observed and anecdotal incidents that led him
to conclude that the company I visited was the one he named.  While 'I
cannot confirm or deny, nor be disposed to discuss such a company if in
fact it existed'  I can tell you  that it is my experience that many (if
not most) of the new startup 'co-location' companies have 'million
dollar' 'physical security' that look good on paper and to the
un-knowlegable investors and customers who haven't a clue in the first
place but have not a clue about 'data security'.  The third-shift
operations staff are often 'wetback' mexicans and/or asians who are paid
very poorly and routinely steal 8-mm or 4-mm backup tapes (fresh ones
are 'controlled' inventory, those with actual potentially valuable data
on them are not) for use in camcorders or audio tape machines (a chronic
problem).  (Why 'break in' when you can pay the minimum wage drone 100
bucks to steal a complete set of last week's backup tapes?)

Often times the 'operations center' will accept telephone instructions
to 'reboot' system such-and-so without verification (something so simple
as 'Hi, this is hector, I have a operational immediate instruction'. 
Operations pern hangs up, looks up and calls back 'hector' at one of
multiple listed phone numbers and finally reaches 'hector'.  Oppern
challenges 'hector'  'page X, row Y, column Z'.  To what 'hector'
responds 'codeword' (xb71ydcq).  Now good ol' boy 'hector' challenges
'oppern' 'page Q, row R, colunm S' and 'hector' responds codeword
'bearssuck'.  Now both hector and oppern are choir members singing from
the same playbook over a non-secure line even if they have never met
each other and have no idea who each other are.  In order to subvert
this system you have to steal the 'book' and at the same time make sure
that the real 'hector' is not at any of the phone numbers while at the
same time making sure only you are. (Subvert the local phone switch to
the secure facility after stealing the playbook.)

Why is this a problem?  While 'you' are rebooting a bad guy can pretend
to be you.

There are a number of other typical problems with 'co-location' vendors
that mikep noticed and pointed out in his offline comments.

Suffice to say, its a wonderful concept that I am not sure that anyone
other than the major players who have already been doing this 'thing'
for years before the WWW became so popular are in a position to safely
carry it out.  (In IBM's case for example, you can't get access to the
physical plant in the first place, no 'cages' to climb over.  Individual
sessions from workstations in the 'war room' (ops center) are encrypted
(SSH) on a private network and you cannot view the screens of
neighboring workstations in the 'bubble' (a sealed section of a floor of
a large building (secured) with armed 'wackyhunk' guards with no memory
of yesterday (You might have been allowed in that building on that floor
yesterday, but today is another day...).

The description I've been using is colo facilities designed by marketing
people for marketing people.

Even IBM has some security problems IMHO.  For example, if you are
involved in a 'secure line' 'scramble phone' conference call on a 'crit
sit' ,it is scheduled for a specific time in a 24-hour period.
The 'passcodes' are re-used during that same period such that after your
call is over, you can call back and use the same 'passcode' to 'join' a
call in progress that has nothing to do with you.  Even though there is
a distinctive 'tone sequence' indicating someone has joined the call it
is rare that people stop speaking and ask 'who just joined' and all hang
up if nobody answers (simply say, 'sorry, got hung up on' and typically
nobody will question it if anyone questions at all and the conversation
continues).

(Hypothetically one might have listened to many an interesting
conference call.  One involving the asian currency crash comes to
mind...)

Re #31: the battery goes dead even though a cellular phone is turned off
because it uses either NiCd or NiMH technology, both of which 'leak' and
go dead in a the order of a couple of weeks. The cell phone is neither
listening or transmitting when it is turned off. 

Re #29:  One difference is the expectation of privacy.  I *know* that my
landline is a fixed installation of known location.  I know that if I'm
using it, my location is known, within a reasonable margin of error.
However, I do not have similar knowledge about cellular phones and thus I
have the *expectation* that my location is NOT identifiable.

The expectation is the difference.

  re #35:  I couldn't disagree more.  The logical conclusion following
  from your distinction is that as long as you were told in advance you
  wouldn't mind a corporation or the government being able to track your
  movements to within a hundred meters or so any time you were carrying
  your phone.  I don't believe that many people feel that way at all..

I imagine that if the Feds are interested in your location, they more 
than likely have someone following you around 24/7.  It seems like the 
location of a cellphone would not be very interesting, legally, without 
the equivalent of a wiretap to go with it.  If the Feds are wiretapping 
you and are interested in your location, you have bigger problems than 
lack of privacy.  

Mike, it ain't that simple.  People's expectations have very little to do
with what they are told.  For example, cellular telephone conversations are
broadcast on the open airwaves and so cannot be considered private. 
Nonetheless, people think and expect them to be private, so those folks who
taped their neighbors (and, as I recall, N. Gingrich's) conversations got
into trouble.

Yes, that is worth keeping in mind when talking on cellular or cordless
phones.  I generally operate on the assumption that anybody listening to my
phone conversations will be really bored really quickly, but I do avoid giving
out passwords or credit card numbers over the cell phone.

- Backtalk version 1.3.30 - Copyright 1996-2006, Jan Wolter and Steve Weiss