| There is a footnote to the preceding anecdote.
This year, there was another BBC Microlive program with Ian McNaught-Davis
and the British Telecom Gold message service.
After the happenings last year, BT were very careful with the account locked
and the password set at the last moment by a senior member of BT staff.
This very senior person then walked into the studio and across to 'Mac' and
whispered the new password into his ear just before the program. This very
senior person did not know about tie-clip microphones.
The audience who were waiting in one of the conference rooms heard this over
the studio monitors. At least one disreputable type had brought both a
portable computer and an acoustic-coupler with him.
However, BT's security was preserved. The BBC are very strict over outside
lines to prevent personal calls and the hacker could not find a phone
without leaving the studios.
Hugh.
|
| (This relates to this note's title, not .0 and .1).
A friend of mine called me up a few days ago and asked me to dial a certain
number on my phone that has the modem connected to it. It seems he has added
a modem to his Heathkit Z100(?) and wrote some code to ask for account names
and passwords. This is so he can hack on his micro during the slow hours while
he is at work. He needed someone to log in to the system to check it out,
since he didn't have an extra modem and terminal at home.
I logged in, and noticed a file called ACCT.TXT, so I typed it out. You
guessed it, it was the password file! If I ever find out how the editor works
on the system, I am going to create an account for my wife, and chop the
accounting entry for my login out of the accounting file.
/AHM
|
| There is currently a 'widely known' stock service that is currently advertising
a system that lets you use your touch-tone phone to get stock quotes. They
charge .50 per minute for connect time.
Although the article that described the system (and tells you how to use
it) lists the telephone numbers for using the system, it also lists a telephone
number for getting a demo. When you call the demo number, a person tells
you about the service, and asks if she can give you a free demonstration.
You actually hear the entire session, from the moment it asks for her
'secret code', through the time she gets the stock quote of your request.
I even mentioned to her that 'Gee, wasn't it a shame that I don't have a
tape-recorder, but I guess your secret code changes quite frequently', only
to be told that 'no, we always use this one'.
Well, anyway, this is an anecdote that is still in the making I guess....
It only goes to show, that no matter how much some people pay attention
to security, there will always be new holes as technology moves in new
directions.
[I deliberately do not mention which service, or reveal any 'secrets' beyond
common sense, so we are far from a Tcimpidis situation; just reporting a
story, just like the NY Times had a front page article listing which foreign
coins people were using to get $.90 subway rides for about $.02.]
|
| I should also mention that not all 'holes' are accidents.
Perhaps, until their system becomes loaded, they deliberately let clever
people use the system for free. This way, the people become accustomed
to using the system, and get 'hooked'. When the system utilization of
paying customers starts getting higher, or when response-time or
access-lines hit undesirable levels, they can turn off the 'stolen'
codes, and hopefully get a number of 'hooked' customers to sign up.
(these people might not have ever tried the system again if they thought
they would always have to pay).
Leaving holes can always be done deliberately.
You always have to wonder when you get something for nothing.....
|