32 Years of the Digest ... founded August 21, 1981
The Telecom Digest for September 8, 2013
====== 32 years of TELECOM Digest -- Founded August 21, 1981 ======
Telecom and VOIP (Voice over Internet Protocol) Digest for the
Internet. All contents here are copyrighted by Bill Horne and
the individual writers/correspondents. Articles may be used in other
journals or newsgroups, provided the writer's name and the Digest are
included in the fair use quote. By using any name or email address
included herein for any reason other than responding to an article
herein, you agree to pay a hundred dollars to that person, or email address
Addresses herein are not to be added to any mailing list, nor to be sold or given away without the explicit written consent of the owner of that address. Chain letters, viruses, porn, spam, and miscellaneous junk are definitely unwelcome.
We must fight spam for the same reason we fight crime: not because we are naive enough to believe that we will ever stamp it out, but because we do not want the kind of world that results when no one stands against crime. - Geoffrey Welsh
See the bottom of this issue for subscription and archive details and the name of our lawyer, and other stuff of interest.
Date: Sat, 7 Sep 2013 10:32:52 -0400 From: Monty Solomon <email@example.com> To: firstname.lastname@example.org. Subject: After patent loss, Apple tweaks FaceTime-and logs 500,000 complaints Message-ID: <email@example.com> Report: After patent loss, Apple tweaks FaceTime-and logs 500,000 complaints Apple is doing a "design around" in a case where it already lost $368 million. by Joe Mullin Aug 30 2013 Ars Technica http://arstechnica.com/tech-policy/2013/08/report-after-patent-loss-apple-tweaks-facetime-and-logs-500000-complaints/
Date: Sat, 7 Sep 2013 10:17:59 -0400 From: Monty Solomon <firstname.lastname@example.org> To: email@example.com. Subject: Dear NSA, Thanks for Making Us All Insecure Message-ID: <firstname.lastname@example.org> http://www.businessweek.com/articles/2013-09-06/dear-nsa-thanks-for-making-us-all-insecure Dear NSA, Thanks for Making Us All Insecure By David Meyer September 06, 2013 Dear stupid, stupid NSA, I've got to hand it to you: As an agency set up with the task of breaking codes and spying on people, you seem to be doing a pretty sterling job. You and your counterparts in the U.K., Australia, Canada, and New Zealand (and possibly elsewhere) are able to monitor most of the communications flowing around the world. You appear to have successfully subverted the American Web services that everyone uses, and you've used the value and size of the U.S. market to bring all manner of Internet backbone providers and hardware vendors on-side too. Now we also know that you have-in your own words-some capabilities against the encryption in TLS/SSL, HTTPS, SSH, VPNs, VoIP, WEBMAIL, and other network communication technologies. So even if it takes a fair amount of effort (unlike your indiscriminate data-trawling techniques), that's basic Internet security out the window then. Nicely done. We're still pretty sure that strong cryptography is safe (Edward Snowden said so, and he's yet to be proven wrong on this stuff), but even there it's not unreasonable to suspect you can muscle your way in if the situation merits it. Again, well played, maybe. However, you've not stopped at code breaking-you have also made sure that vulnerabilities have been inserted into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets. Here's where the stupidity creeps in: You actively work to influence policies, standards, and specifications for commercial public key technologies and shape the worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by yourself. In other words, instead of just building a better lock pick, you are trying to make sure that all locks are faulty by design. What is so jaw-droppingly idiotic about your actions is that you have not only subverted key elements of modern cryptography, but you have also appointed yourself as the guardian of the knowledge that the resulting vulnerabilities exist. And if your own security systems were up to the task, then those secrets wouldn't be sitting in the offices of the New York Times and ProPublica. One must possess a Panglossian view on things to assume that Edward Snowden was the first person out of the many thousands in his position to make away with such material. He brought it to the public, and without that move there's a good chance you wouldn't have even known he took it. So who else has it? Bet you have no idea. So well done; you've probably put your own citizens at risk. But let's ignore that distinct likelihood for a moment, and concentrate on the aftermath of Snowden's revelations. If the first tranche of those revelations will hit the U.S. Web services and cloud economy hard-estimates vary as to how hard, and only time will tell-then the crypto scandal is going to do the same to the U.S. security industry. In fact, it's probably going to hurt more. Most people have too much invested in American Web services to pull out on short notice; it's relatively trivial in many cases to switch security services. Of course, the implications aren't only glum for U.S. firms. There are enough hints in your leaked documents to suggest that you got to some foreign firms, too. And as you seem to have influenced the standards-setting process (sometimes cackhandedly) the global security industry must now think about starting from scratch. Sadly for you, this time round your influence will be vastly diminished: It's going to be much harder to insert your demands into the finished product. As far as the rest of the world is concerned, the forum provided by the U.S. National Institute of Standards and Technology will now carry less weight. And because the security industry will now shift to open source-there is no other option if the new standards are to be trusted-installing hidden backdoors will be nearly impossible. But what's really going to hurt is the U.S.'s slow loss of control over the Internet itself. As crypto guru Bruce Schneier wrote on Thursday: I have resisted saying this up to now, and I am saddened to say it, but the U.S. has proved to be an unethical steward of the Internet. The U.K. is no better. The NSA's actions are legitimizing the Internet abuses by China, Russia, Iran, and others. We need to figure out new means of Internet governance, ones that make it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations. Unfortunately, this is going to play directly into the hands of totalitarian governments that want to control their country's Internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can't be dominated or abused by any one country. Just because the U.S. invented the Internet doesn't mean it gets to maintain the level of control it now exercises forever. Particularly when you've now forced everyone to think about reengineering it. Oh, and by the way, whether or not you do succeed in cracking the encryption protecting 4G communications by the end of this financial year, as you have predicted, you can probably expect U.S. influence in international telecommunications standards-setting to take a knock, too. So in summary, you've blown it-and not just for yourselves. Good luck readjusting in the coming years! Yours etc., David
Date: Sat, 7 Sep 2013 10:40:03 -0400 From: Monty Solomon <email@example.com> To: firstname.lastname@example.org. Subject: How App Store grifters clone an overnight success to make a quick buck Message-ID: <email@example.com> How App Store grifters clone an overnight success to make a quick buck The iOS app A Beautiful Mess suffered a true attack of the clones. by Casey Johnston Aug 29 2013 Ars Technica The app had only been out three months, and already the creators of A Beautiful Mess were scrambling to deal with a big problem: clones, copycats, and rip-offs, as many as seven of them, crowding the search results in the App Store. The clones appeared to be legitimate, affiliated versions, yet as all the developers knew, they were anything but. The CEO of the company that created the original A Beautiful Mess called them "infuriating." Attack of the clones The legitimate version of the app is a product of the lifestyle blog A Beautiful Mess; it allows users to augment photos or background patterns with text, doodles, and filters. The app was launched by Red Velvet Art LLC, which was affiliated with the blog, and it was developed by Rocket Mobile, a brand agency based in Austin, Texas. The app launched on May 14 and debuted as the number three paid app in the App Store. Shortly thereafter, it moved to the number one spot. A Beautiful Mess lets you do things like this to photos of your cats, as well as photos of other things. In June, the first clone appeared. It used the same icon and screenshots as A Beautiful Mess but came with a modified name: A Beautiful Mess Free. The second clone was produced by a developer named John Harlampa: A Beautiful Mess Plus. By the beginning of August, seven clones cluttered up the App Store, and one rip-off was charting in the top 50, according to AppTweak. It hovered in that range until the day it was pulled, sometime on August 19. The original app, which had sustained a fairly high position on the paid charts, dropped as low as the fifties. ... http://arstechnica.com/apple/2013/08/how-app-store-grifters-clone-an-overnight-success-to-make-a-quick-buck/
Date: Sat, 7 Sep 2013 10:21:07 -0400 From: Monty Solomon <firstname.lastname@example.org> To: email@example.com. Subject: Fwd: California poised to implement first electronic license plates Message-ID: <firstname.lastname@example.org> California poised to implement first electronic license plates Cops, license plate readers are obsolete. You can now track us closer. by Cyrus Farivar Sept 6 2013 Ars Technica This week, the California State Senate approved a bill that would create the nation's first electronic license plate. Having already passed the state's assembly, the bill now goes to Gov. Jerry Brown (D) for his signature. The idea is that rather than have a static piece of printed metal adorned with stickers to display proper registration, the plate would be a screen that could wirelessly (likely over a mobile data network) receive updates from a central server to display that same information. In an example shown by a South Carolina vendor, messages such as "STOLEN," "EXPIRED," or something similar could also be displayed on a license plate. ... http://arstechnica.com/tech-policy/2013/09/california-poised-to-implement-nations-first-electronic-license-plate-program/ ***** Moderator's Note ***** OBTelecom: Substitute "Cell phone" for "License Plate" ... Bill Horne Moderator
Date: Sat, 7 Sep 2013 10:55:03 -0400 From: Monty Solomon <email@example.com> To: firstname.lastname@example.org. Subject: NSA surveillance: A guide to staying secure Message-ID: <email@example.com> NSA surveillance: A guide to staying secure The NSA has huge capabilities - and if it wants in to your computer, it's in. With that in mind, here are five ways to stay safe Bruce Schneier 6 September 2013 Now that we have enough details about how the NSA eavesdrops on the internet, including today's disclosures of the NSA's deliberate weakening of cryptographic systems, we can finally start to figure out how to protect ourselves. For the past two weeks, I have been working with the Guardian on NSA stories, and have read hundreds of top-secret NSA documents provided by whistleblower Edward Snowden. I wasn't part of today's story - it was in process well before I showed up - but everything I read confirms what the Guardian is reporting. At this point, I feel I can provide some advice for keeping secure against such an adversary. ... http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
Date: Sat, 7 Sep 2013 10:37:04 -0400 From: Monty Solomon <firstname.lastname@example.org> To: email@example.com. Subject: Apple confirms Apple Store iPhone trade-in program has launched today Message-ID: <firstname.lastname@example.org> Apple confirms Apple Store iPhone trade-in program has launched today August 30, 2013 In line with our reports from earlier this week, Apple has announced that its Apple Store iPhone trade-in-program has launched today. The confirmation comes by way of comment to CNBC. The trade-in-program is officially called the "iPhone Reuse and Recycling Program" and it is available in Apple Stores across the United States. It is powered in-part by BrightStar? The trade-in process can be conducted on the store floor, or at the Genius Bar. Apple will not be heavily promoting the program with marketing signage (as of now), but Apple Store employees have been instructed to recommend the program to applicable customers. ... http://9to5mac.com/2013/08/30/apple-confirms-apple-store-iphone-trade-in-program-launches-today/
Date: Sat, 7 Sep 2013 10:48:46 -0400 From: Monty Solomon <email@example.com> To: firstname.lastname@example.org. Subject: iOS and Android weaknesses allow stealthy pilfering of website credentials Message-ID: <email@example.com> iOS and Android weaknesses allow stealthy pilfering of website credentials Scientists call on Apple and Google to mitigate "origin crossing" attacks. by Dan Goodin Aug 27 2013 Ars Technica Computer scientists have uncovered architectural weaknesses in both the iOS and Android mobile operating systems that make it possible for hackers to steal sensitive user data and login credentials for popular e-mail and storage services. Both OSes fail to ensure that browser cookies, document files, and other sensitive content from one Internet domain are off-limits to scripts controlled by a second address without explicit permission, according to a just-published academic paper from scientists at Microsoft Research and Indiana University. The so-called same-origin policy is a fundamental security mechanism enforced by desktop browsers, but the protection is woefully missing from many iOS and Android apps. To demonstrate the threat, the researchers devised several hacks that carry out so-called cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks to surreptitiously download user data from handsets. The most serious of the attacks worked on both iOS and Android devices and required only that an end-user click on a booby-trapped link in the official Google Plus app. Behind the scenes, a script sent instructions that caused a text-editing app known as PlainText to send documents and text input to a Dropbox account controlled by the researchers. The attack worked against other apps, including TopNotes and Nocs. ... http://arstechnica.com/security/2013/08/ios-and-android-weaknesses-allow-stealthy-pilfering-of-website-credentials/
TELECOM Digest is an electronic journal devoted mostly to telecom- munications topics. It is circulated anywhere there is email, in addition to Usenet, where it appears as the moderated newsgroup 'comp.dcom.telecom'. TELECOM Digest is a not-for-profit, mostly non-commercial educational service offered to the Internet by Bill Horne. All the contents of the Digest are compilation-copyrighted. You may reprint articles in some other media on an occasional basis, but please attribute my work and that of the original author. The Telecom Digest is moderated by Bill Horne.
43 Deerfield Road
Sharon MA 02067-2301
bill at horne dot net
This Digest is the oldest continuing e-journal about telecomm- unications on the Internet, having been founded in August, 1981 and published continuously since then. Our archives are available for your review/research. We believe we are the oldest e-zine/mailing list on the internet in any category! URL information: http://telecom-digest.org Copyright (C) 2013 TELECOM Digest. All rights reserved. Our attorney is Bill Levant, of Blue Bell, PA.
Finally, the Digest is funded by gifts from generous readers such as yourself who provide funding in amounts deemed appropriate. Your help is important and appreciated. A suggested donation of fifty dollars per year per reader is considered appropriate. See our address above. Please make at least a single donation to cover the cost of processing your name to the mailing list. All opinions expressed herein are deemed to be those of the author. Any organizations listed are for identification purposes only and messages should not be considered any official expression by the organization.