35 Years of the Digest ... founded August 21, 1981
Copyright © 2017 E. William Horne. All Rights Reserved.

The Telecom Digest for Sun, 08 Oct 2017
Volume 36 : Issue 122 : "text" format

Table of contents
Researchers: Uber's iOS App Had Secret Permissions That Allowed It to Copy Your Phone ScreenMonty Solomon
CenturyLink to Service SMB Segment With Managed WiFi Network Bill Horne
Re: White House wants to end Social Security numbers as a national IDRob Warnock
Re: CenturyLink to Service SMB Segment With Managed WiFi NetworkGarrett Wollman
Re: Verizon to discontinue legacy services across seven-state areaHAncock4
Google sending balloons to help PR phone servicedanny burstein
---------------------------------------------------------------------- Message-ID: <FB785608-105A-4C30-AA28-AA3D62D32622@roscom.com> Date: Fri, 6 Oct 2017 23:45:25 -0400 From: Monty Solomon <monty@roscom.com> Subject: Researchers: Uber's iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen Researchers: Uber's iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen To improve functionality between Uber's app and the Apple Watch, Apple allowed Uber to use a powerful tool that could record a user's iPhone screen, even if Uber's app was only running in the background, security researchers told Gizmodo. After the researchers discovered the tool, Uber said it is no longer in use and will be removed from the app. The screen recording capability comes from what's called an "entitlement" - a bit of code that app developers can use for anything from setting up push notifications to interacting with Apple systems like iCloud or Apple Pay. This particular entitlement, however, was intended to improve memory management for the Apple Watch. The entitlement isn't common and would require Apple's explicit permission to use, the researchers explained. Will Strafach, a security researcher and CEO of Sudo Security Group, said he couldn't find any other apps with the entitlement live on the App Store. https://gizmodo.com/researchers-uber-s-ios-app-had-secret-permissions-that-1819177235 ------------------------------ Message-ID: <20171007180349.GA29686@telecom.csail.mit.edu> Date: Sat, 7 Oct 2017 14:03:49 -0400 From: Bill Horne <bill@horneQRM.net> Subject: CenturyLink to Service SMB Segment With Managed WiFi Network Network Neutrality is no problem for Centurylink: the company will allow its "SMB" "customers" to "prioritize" and "throttle" traffic before it gets to the ILEC's wires. BH - - - - - - - - - - - - - Regional wireline operator and incumbent local exchange carrier ("ILEC") CenturyLink Inc. CTL is opting for managed WiFi services to cater to the demands of small and mid-sized business (SMB) and to lure more customers in this segment from cable TV operators and Competitive local exchange carriers ("CLEC"). Based on Meraki technology of Cisco Systems Inc., the managed WiFi platform will offer real-time monitoring and analytics in order to enable enterprises to better connect with customers. Business customers will be able to view their networks through Meraki's dashboard. They can also prioritize and throttle priority and nonpriority applications. Moreover, enterprises can use client- and location-based analytics to better serve their client who are connected to the network. http://www.nasdaq.com/article/centurylink-to-service-smb-segment-with-managed-wifi-network-cm851212 -- Bill Horne (Remove QRM from my email address to write to me directly) ------------------------------ Message-ID: <or9t8f$8b2$1@dont-email.me> Date: Sat, 7 Oct 2017 06:46:39 -0000 (UTC) From: rpw3@rpw3.org (Rob Warnock) Subject: Re: White House wants to end Social Security numbers as a national ID Monty Solomon <monty@roscom.com> wrote: +--------------- | White House wants to end Social Security numbers as a national ID | | US government is examining the use of a "modern cryptographic | identifier." +--------------- As noted in the comments of the referenced URL, a large part of the problem is that people try to use the SSN as an *authenticator* (e.g., like a password) when it's actually only an identifier (e.g., user name). Hence such oxymoronic phrases as "cryptographic identifier". The *identifier* doesn't need any cryptography [except perhaps a MAC], but the *authenticator* certainly does! +--------------- | "I believe the Social Security number has outlived its usefulness," | said Joyce... +--------------- Note that Medicare, which has historically uses SSNs[1] as identifiers, is already [well, early next year] rolling out a new format for Medicare account numbers: https://www.medicare.gov/forms-help-and-resources/your-medicare-card.html ... New Medicare cards are coming Medicare will mail new Medicare cards between April 2018 and April 2019. Your new card will have a new Medicare Number that's unique to you, instead of your Social Security Number. This will help to protect your identity. See an example of the new Medicare card. ==> https://www.medicare.gov/medicare-images/JohnSmithWatermarkCards.jpg [Shows example new form ID: "1EG4-TE5-MK72".] It's nice that they're decoupling from the SSN, but note that this is still only an "identifier", with no additional authentication added.[2] -Rob [1] Historically one's Medicare ID number was one's SSN, suffixed with a single letter that encoded a few bits of your account status. E.g., if you started Medicare at age 65 but did not "retire" yet [that is, did not start taking SSA benefits], your Medicare number was of the form "000-00-0000-T". If you then later "retired", your Medicare ID number would *change* from "000-00-0000-T" to "000-00-0000-A" [assuming you were the primary SSA beneficiary]. [Yes, this happened to me!] Other suffix letters encode other possible status: https://www.medicaremall.com/senior-living/2013/05/23/extra-letters-medicare-card-mean/ What Do Those Extra Letters on Your Medicare Card Mean? [2] That I can tell... There might be a check digit or two in there.(?) +--------------------------------------------------------------+ Rob Warnock <rpw3@rpw2.org> 627 26th Avenue <http://rpw3.org/> San Mateo, CA 94403 ------------------------------ Message-ID: <orba1g$1j1s$1@grapevine.csail.mit.edu> Date: Sat, 7 Oct 2017 19:30:57 +0000 (UTC) From: wollman@bimajority.org (Garrett Wollman) Subject: Re: CenturyLink to Service SMB Segment With Managed WiFi Network In article <20171007180349.GA29686@telecom.csail.mit.edu>, Bill Horne <bill@horneQRM.net> wrote: >Based on Meraki technology of Cisco Systems Inc., the managed WiFi >platform will offer real-time monitoring and analytics in order to >enable enterprises to better connect with customers. Business >customers will be able to view their networks through Meraki's >dashboard. They can also prioritize and throttle priority and >nonpriority applications. We've been using Meraki wireless for nearly as long as the company has been around (disclaimer: Meraki was a CSAIL spinoff and gave us a very steep discount on our initial deployment). I have found that their application identification is informative, but unfortunately the product lacks integration with IP differentiated services on the wired side, so I decided not to try to use it for traffic prioritization. The product uses a combination of shallow and deep packet inspection and DNS snooping to identify applications, rather than just protocols. I suspect that it also has lists of certain providers' network blocks as well. If I look at my top-20 "applications" over the past 24 hours, it tells me that they are: 1) SSH, 2) "Miscellaneous secure web", 3) "Apple file sharing" (local backups), 4) Dropbox, 5) YouTube, 6) apple.com, 7) "UDP", 8) "Non-web TCP", 9) "Miscellaneous web", 10) iTunes, 11) Facebook, 12) Google HTTPS, 13) "Encrypted TCP (SSL)", 14) "Software updates", 15) Google, 16) Spotify, 17) "CDNs" (Content Distribution Networks), 18) iCloud (Apple cloud backups), 19) Gmail, 20) "Miscellaneous video" "Applications" 1, 2, 3, 7, 8, and 9 are easy to identify by shallow inspection [TCP/22, TCP/443, TCP/548, UDP/(not 53 or 5353), TCP/(not 80 or 443), TCP/80]. The rest require some form of payload inspection (either DNS snooping or actually looking for protocol handshakes inside TCP connections). Streaming video can be semi-reliably identified on the basis of interarrival times. If I dig more deeply into the list, I can see which news sites my users frequent, where they shop (I'm going to assume for business-related purchases here), and what cloud and peer-to-peer applications they use. As an operator of a university network, this level of packet inspection doesn't bother me much (after all, I'm already snooping on every packet that enters or leaves the network anyway). As a residential customer, I'd be a bit more uncomfortable. (And I know that my home ISP is almost certainly collecting similar data on me to sell to advertisers without my consent.) This sort of traffic analysis is now fairly routine and easy to do. It is one of the justifications for DNScrypt, a proposed protocol for clients to communicate with (non-ISP) resolvers without exposing the content of queries, although it's not clear how much that buys you given that for most applications, a DNS lookup is almost immediately followed by an HTTP(S) connection which reveals the same information. -GAWollman -- Garrett A. Wollman | "Act to avoid constraining the future; if you can, wollman@bimajority.org| act to remove constraint from the future. This is Opinions not shared by| a thing you can do, are able to do, to do together." my employers. | - Graydon Saunders, _A Succession of Bad Days_ (2015) ------------------------------ Message-ID: <513952e1-8ec0-43f3-ba45-068b5a0d2936@googlegroups.com> Date: Sat, 7 Oct 2017 12:26:36 -0700 (PDT) From: HAncock4 <withheld@invalid.telecom-digest.org> Subject: Re: Verizon to discontinue legacy services across seven- state area On Thursday, October 5, 2017 at 8:53:58 PM UTC-4, Bill Horne wrote: > U.S. telecom behemoth, Verizon Communications Inc VZ is reportedly > seeking permission from the U.S. telecom regulator Federal > Communications Commission (FCC) to discontinue four legacy interstate > DS0 services across parts of seven states. These legacy voice and > low-speed data services are Voice Grade Service, WATS Access Line > Service, Digital Data Service and DIGIPATH Digital Service II. > > The affected states include Delaware, Maryland, New England, New > Jersey, New York, Pennsylvania and Virginia. Verizon has about 10 > wholesale customers and approximately 67 retail customers for these > services in the affected areas. > > http://www.nasdaq.com/article/verizon-vz-to-shut-down-legacy-voice-services-in-7-states-cm855014 What will happen to people who don't fibre service to their home? Lots of places do not have it. Will they be forced to go over to Comcast? In my area at least, Comcast is notoriously unreliable. ------------------------------ Message-ID: <Pine.NEB.4.64.1710072140030.29901@panix5.panix.com> Date: Sat, 7 Oct 2017 21:42:21 -0400 From: danny burstein <dannyb@panix.com> Subject: Google sending balloons to help PR phone service [Al Jazeera. Live with it] Google to use balloons for Puerto Rico phone service Alphabet Inc is sending high-altitude balloons to provide phone service to island devastated by Hurricane Maria. Alphabet Inc, the company that controls Google, is sending special balloons to Puerto Rico to help restore phone service after the island was devastated by Hurricane Maria last month. The US Federal Communications Commission said it had approved the company's application to provide the emergency cellular service to Puerto Rico. ===== rest: http://www.aljazeera.com/news/2017/10/google-balloons-provide-puerto-rico-telephone-service-171007051308043.html _____________________________________________________ Knowledge may be power, but communications is the key dannyb@panix.com [to foil spammers, my address has been double rot-13 encoded] ------------------------------ ********************************************* End of telecom Digest Sun, 08 Oct 2017

Telecom Digest Archives