Shoulder Shock

Shoulder Shock: (n)
Def: The feeling of uncertain uneasiness when, during one's operation of a browser, a shoulder-surfer possibly witnessed incriminating automatically-completed words, URLs, histories, etc.

Shoulder Delay: (n)
Def: The Delay between pressing keys and the relevant completion appearing. Should be 500ms at minimum. Most implementations are about 50ms.

Shock-Avoidance: (n)
Def: Typing as fast as possible to stay within 'shoulder delay' (qv), thereby avoiding 'shoulder shock' (qv).

Identity leak with Sprint wireless

By dialling a certain phone number from any phone, and punching in the phone number of any sprint subscriber, the service will read the name and street address of the subscriber. It also can read back the names of people who might share the same address.

Does anyone else see this as a problem?

The automated service leaking this data is Sprint's international call identity verification service. I think the theory is that they want to provide extra safeguards so that people can't rack up massive fraudulent bills for international calls, so they want to really verify who you are.

In order to do this, they fall for a classic security blunder. They give you information and ask you if its correct. Worse, it's an automated service, with no concept of what social engineering is.

The call went like this:

SPRINT: Hi, welcome to sprint's international call identity verification service
        For english, say 'english'

SPRINT: To verify your identity, we will ask you some questions:
        What is the phone number you want to set up international calls on.

ME:     408-xxx-xxxx

SPRINT: Is the person on the account "STEVE PARKINSON", of [house number and street name]

ME:     YES    (STRIKE 1)

SPRINT: Good, let me fetch your security questions....
        First question:
        Which of the following addresses are also associated with the account holder
        1) random address one
        2) random address two
        3) [my current address, as just read to me above]
        4) none of the above


SPRINT: Correct
        Second question:
        Which of the following people also have lived with you at the same address:
        1) random person one
        3) random person two
        4) none of the above

ME:     TWO    [Hmm - I have a separate account with sprint, but looks like they'd be
        willing to give information on my roommate? STRIKE 2!]

SPRINT: Yes. Which county do you live in:
        1) San Diego
        2) Santa Clara
        3) Tulane
        4) none of the above

ME:     TWO  [STRIKE 3]

SPRINT: Yes. Your account can now make international calls.

So, the two major problems are:
- this is useless as an identity checking mechanism, because the questions they ask have obvious answers
- they leak an enormous amount of personal information

At first, I figured they must be ensuring that I can only check my own phone number, but no... I verified with a co-worker that you can punch in any sprint phone number.

Update: This post was linked to from boingboing!

Update: Sorry, comments disabled due to idiocy.

One piece of sensible feedback I got:

Jason may indeed be absolutely correct that HE doesn't care that Sprint will give a name and address in exchange for a telephone number to anyone who asks, but not all people will agree. One of the numbers I gave to that Sprint voicebot was the number of a friend who is in a battered woman program. It gave her name and her current 'safehouse' address, and she WAS very concerned about that.

For myself, while there are not the safety concern, the fact that the billing address for number "X" is address "Y" is NOT public knowledge, nor should Sprint be broadcasting it to anyone who asks.

Thirdly, since this phony "security check" is for the purpose of turning on an additional high-priced service option, a more rational check needs to be made than one that GIVES a name and address and asks that you confirm it's right. Ridiculous!

Update: now on digg:

A comment there, from gaijin:

When I told my wife ( a Sprint customer) about this she called them right away. She actually got hold of a supervisor, explained that she gave her cell number out to people that she might not want to have her home number or address, and then encouraged him to call the number and input HIS cell number. He was back on the phone in two minutes totally freaked out. He said his office hadn't known about it and they would change it ASAP. We'll see.

BTW, he and my wife both logged into this website and watched as the numbers of diggs steadily increased! That fact may get more reaction than anything else.


The main comment people seem to have is that this is just like a reverse phone book/whitepages service, and that there should be no expectation of privacy because some services will give your name/address away if you give them a phone number.

That's the case for land-line phones, although most providers do have the ability to opt out of their directories.
My understanding and expectation is that cell providers do not give out this information to directory providers.
For example, go to and try a reverse phone lookup on your cellphone. For me, it just says the name of the carrier.

Great! Apparently Sprint has fixed this. Well, at least according to And the number now gives me fast-busy. So, maybe they disabled it until they come up with a long term solution. Thanks for reacting quickly, Sprint!

free counter with statistics

Red Hat hires Andrew Bartlett

I'm happy to report that Andrew Bartlett from has started work at Red Hat this week. We're happy to have him here to help work on further integration of Samba into Red Hat Enterprise Linux. Andrew is an expert on all the funky authentication systems Windows uses, and he'll be a great deal of help as we improve our single-sign-on capability in RHEL 5.

Red Hat Certificate System Update

I've recently been working on adding support for Microsoft's proprietary automated certificate enrollment protocols to Red Hat Certificate System. We'll soon be able to have domain controllers and IIS webservers get their certificates from Red Hat Certificate System. Even better, I was able to do all this without licensing anything from Microsoft or reverse engineering anything. We'll release it as open source soon.

(no subject)

The Bush Administration is giving federal civilian agencies just 45 days to
comply with new recommendations for laptop encryption and two-factor authentication.

This is going to be fun to watch!

I have been talking to some of our customers recently about encryption. It seems there's two ways to go: Laptops are generally single user systems, and its probably useful to encrypt at a block level (partition-wide). Or, you could go for directory-level encryption, which means that you'll need a lot more hooks into the filesystem, but you could support different directories encrypted for different users.

Someone should have told OMB that Windows doesn't support using smartcards with Microsoft's Encrypted file system.