PDA

View Full Version : It's Not Only Facebook!



Bruce Wrenn
03-20-2018, 8:01 AM
Sent my SIL an email last week. In email, mentioned a specific brand of self rising flour. Very next day start getting banner ads from Amazon for exact same brand of SR flour. Makes me think, who is reading my emails?

George Bokros
03-20-2018, 8:06 AM
Did you view that brand of flour on line before you sent the SIL the email? That is likely where they got your interest in that product. Happens to me here on SMC. I looked at a a web site for a installer of garage door openers and the next thing I knew there is an ad on SMC for that business.

Roger Nair
03-20-2018, 8:07 AM
Was a g-mail account involved or another so-called free service? I would suspect privacy has a cost for service. In George's case, the browser could be free but mines data for it's advertisers.

Mark Blatter
03-20-2018, 8:28 AM
Google, when they were first going public, had a simple phylosophy, 'Don't be evil'. That change years ago to basically, 'Do whatever it takes to make money'. They announced recently that they would no longer mine personal emails for advertising info. I don't believe them, but I also wear a tin hat.

I have reached the point where I little surprises me about tech and making money. No, I don't think the Tardis is real, but I do believe there is an extreme level of greed in the world today, greed that has many doing things their mother's would be ashamed of.

Sorry for ranting. Will put my tin hat back on now.

Curt Harms
03-20-2018, 8:42 AM
Was a g-mail account involved or another so-called free service? I would suspect privacy has a cost for service. In George's case, the browser could be free but mines data for it's advertisers.

Exactly. We pay for services one way or another. One way is obvious ($), the other way is less so (privacy, personal information). Very few things are free with no strings attached.

Mike Gresham
03-20-2018, 9:45 AM
Surely, you don't think email is private. There is a very good reason it is not a good idea to send credit card numbers through email. You have no idea of how many or which servers the email passes through on the way to its destination and how many eyes (both human and computer) have the opportunity to read it.

Frederick Skelly
03-20-2018, 1:55 PM
Ever notice that some email providers ask you if you want to stay logged on for 2 weeks (ATT for instance)?

I SUSPECT but have not verified that there are words in their TOS that say "user agrees that we can mine your email whenever you are logged on."

Rod Sheridan
03-20-2018, 2:21 PM
Bruce, after reading the news today, perhaps your data was also used to influence elections via Cambridge Analytica.

I'm glad I don't have a Facebook account.........Rod.

Mike Henderson
03-20-2018, 2:34 PM
If you have an email account that is yours - by that I mean if you have a domain name (like www.mikes-woodwork.com (http://www.mikes-woodwork.com)) - I don't believe anyone is reading your mail. If you use gmail, I would not be so sure.

It was very obvious from the beginning that Facebook's model was to learn as much as they could about you so that they could use that data to sell targeted advertising. I do not use Facebook for that reason. I do have a facebook page because every now and then, you have to go through Facebook, but I don't have anything on it.

I contrast Facebook to SMC. The things we post on SMC could be mined to learn more about us, but SMC's financial model is not to collect data about us and sell it.

Mike

Lee DeRaud
03-20-2018, 3:02 PM
Ever notice that some email providers ask you if you want to stay logged on for 2 weeks (ATT for instance)?

I SUSPECT but have not verified that there are words in their TOS that say "user agrees that we can mine your email whenever you are logged on."What difference does it make? You need to log in to read it*, and I guarantee their mining software can snarf it up while you're doing that.

*Even in my case, where my local copy of Outlook logs in, sucks the messages into my computer, deletes them, and then logs out. The amount of time that takes is tens of milliseconds to me, but a century in "server years".

Carlos Alvarez
03-20-2018, 3:21 PM
Surely, you don't think email is private. There is a very good reason it is not a good idea to send credit card numbers through email.

None of that is true. Source: Have been a network, voice, and security engineer for 30+ years.

If you use a free mail service, the system is indeed using keywords in it to catalog the things you are interested in. They aren't "reading" it really, but just looking for things you're talking about that they can advertise to you. Whatever you think of this, the fact is that it poses no security risk. There are no humans reading it and nobody is actually storing the data in a way that's easily related to you outside the system.

It is very safe to send card info via most e-mail services. Certainly safer than fax or voice calls, which are easily intercepted. In comparison, e-mails are encrypted in flight. I can easily capture and view/listen to fax and data calls on any network I manage, but not e-mails. Even if I have access to the data, it's encrypted and worthless. If you want some slightly sensitive info from me, you will get it via e-mail. If you want highly sensitive info, then it will need to be separately encrypted. Voice and fax are for things that don't matter. Also while Apple iMessage is secure, regular SMS is not, nor are most of the other messaging apps. So I'd send sensitive info via iMessage too.


but SMC's financial model is not to collect data about us and sell it.

They run ads which do that on their behalf. So no different.

Rick Moyer
03-20-2018, 3:29 PM
A month ago I took a friend along to Industrial Plywood in Lewistown. He merely rode along, no personal information was given to anyone. On the way home he got an ad on his phone about plywood (from Lowe's). Obviously we are being tracked by many entities. His location could have been known by his phone GPS, but the rest of the chain of information is, at best, discomforting!

andrew whicker
03-20-2018, 3:34 PM
None of that is true. Source: Have been a network, voice, and security engineer for 30+ years.

If you use a free mail service, the system is indeed using keywords in it to catalog the things you are interested in. They aren't "reading" it really, but just looking for things you're talking about that they can advertise to you. Whatever you think of this, the fact is that it poses no security risk. There are no humans reading it and nobody is actually storing the data in a way that's easily related to you outside the system.

It is very safe to send card info via most e-mail services. Certainly safer than fax or voice calls, which are easily intercepted. In comparison, e-mails are encrypted in flight. I can easily capture and view/listen to fax and data calls on any network I manage, but not e-mails. Even if I have access to the data, it's encrypted and worthless. If you want some slightly sensitive info from me, you will get it via e-mail. If you want highly sensitive info, then it will need to be separately encrypted. Voice and fax are for things that don't matter. Also while Apple iMessage is secure, regular SMS is not, nor are most of the other messaging apps. So I'd send sensitive info via iMessage too.



They run ads which do that on their behalf. So no different.

I didn't know this about fax and voice. You mean voice over internet, right? What about calling someone on my cell phone to their cell phone?

Haha, this makes me happy to know that fax is so easy to breach when almost every federal gov't form needs to be faxed. : )

Carlos Alvarez
03-20-2018, 3:49 PM
VoIP calls are mostly in the clear and could be intercepted, just like regular analog phone calls. Cell to cell calls have many variables. The connection from your phone to the tower is lightly encrypted. It's not trivial to decode, but could be (and progress was made to prevent this, but I don't know the current status as it's not my job, it could be fixed now). If the call is going to another cell on the same network, 99% likely that the carrier will keep it on-net. But probably not encrypted, and even if it is encrypted, they hold the keys, not you. So their people could decrypt it. If it leaves the cell carrier network for the regular phone network, it's not encrypted and is very easy to intercept there. Meaning that a person with access to the network could, but getting access to the network is very limited. To people like me. I've never intercepted any data I was not allowed to, but I'm always 30 seconds away from being able to. I've had to do intercepts and captures for law enforcement and other lawful reasons.

Fax is the most awful way to send anything. It's totally not secure. It's totally easy to fake and manipulate. It's not easy to fake or manipulate an e-mail, and it's not easy to intercept an e-mail. I realize most people have been told a big lie about fax being secure.

Carlos Alvarez
03-20-2018, 4:09 PM
What difference does it make? You need to log in to read it*, and I guarantee their mining software can snarf it up while you're doing that.

*Even in my case, where my local copy of Outlook logs in, sucks the messages into my computer, deletes them, and then logs out. The amount of time that takes is tens of milliseconds to me, but a century in "server years".

It's very frustrating to have worked your entire life in tech and see people post things they simply either made up or repeated from someone else who made them up, with zero bearing on reality. You should stop doing that.

Brian W Evans
03-20-2018, 4:54 PM
A month ago I took a friend along to Industrial Plywood in Lewistown. He merely rode along, no personal information was given to anyone. On the way home he got an ad on his phone about plywood (from Lowe's). Obviously we are being tracked by many entities. His location could have been known by his phone GPS, but the rest of the chain of information is, at best, discomforting!

Smartphones were built from the ground up to be spies. A less paranoid-sounding way of saying that would be that the business model for smartphones includes gathering information on users that can be sold to advertisers. If you've ever tried to make a smartphone more private by adding a firewall, adblocker, etc., you will find that it is MUCH more difficult than on a PC and that doing so destroys a lot of the functionality. Most service providers and phone manufacturers prevent you from adding security measures like this altogether.

Part of the problem, too, is that your cellphone has to constantly ping cell towers, which makes you trackable. I'm not sure if that information is sold or shared but it's definitely stored.

**********

Email is often encrypted in transit BUT only if the person on the other end is set up to receive encrypted email. Not all email providers do this. I believe Google now warns you if someone you're corresponding with is not set up for encryption. Not sure about other providers.

**********

Setting up your own email server is, theoretically, easy. One big problem is that major email services (e.g. yahoo, gmail, etc.) won't accept email from unverified sources (i.e. your homebrew email server). This is a spam-prevention tactic. You can deal with this problem but be prepared to do a lot of research and deal with DNS records.

If you get some sort of email service from your ISP or hosting company that allows you to put your domain on it, you're just using someone else's email service and I wouldn't bet they aren't scanning your email as well.

**********

Sawmill Creek is open to google and other search engines, which means their bots are scraping this site all the time. This is why you can use google to search SMC. No matter what SMC's privacy policy is, everything we post is out there for anyone to search or compile, and is attached to our names.

**********

Here is a resource for making your technology use more private: https://www.privacytools.io I have not tried or researched most of the services, but I do use many of the plugins / add-ons.

For fun, check out this site: https://panopticlick.eff.org It will show you all the ways your web browser is susceptible to tracking. The same organization offers a few tools for helping cut back on some of the tracking.



Carlos, feel free to correct me if I'm wrong about any of this. I'm kind of obsessed with this topic, if you couldn't tell.

Lee DeRaud
03-20-2018, 5:14 PM
One big problem is that major email services (e.g. yahoo, gmail, etc.) won't accept email from unverified sources (i.e. your homebrew email server). This is a spam-prevention tactic.And yet they don't seem to have any problem accepting email from verified spammers.

Lee DeRaud
03-20-2018, 5:19 PM
It's very frustrating to have worked your entire life in tech and see people post things they simply either made up or repeated from someone else who made them up, with zero bearing on reality. You should stop doing that.If you have an issue with something specific I said, just say so. You might also want to keep in mind that you're not the only one here who has worked his entire life in tech.

Jim Becker
03-20-2018, 5:24 PM
VoIP calls are mostly in the clear and could be intercepted, just like regular analog phone calls.

This is totally dependent on the VoIP solution and/or the provider. That said, most consumer focused VoIP solutions are indeed unencrypted normally. The business communication systems I designed and sold for the past couple of decades for one of the industry leaders were completely encrypted internally by default (no capture/listen possible like some other competitors) and until recently when clients started to embrace SIP trunks, things were secure at the hand-off to the PSTN, too. Things get fuzzy with SIP trunks...sometimes there's encryption beyond the demark; sometimes there is not...so there's always the assumption that the voice call is in the clear beyond the organization.

Mike Henderson
03-20-2018, 5:40 PM
They run ads which do that on their behalf. So no different.

I'd have to ask the people who run the site, but I doubt if the ads can view what people are posting. Also, although people can "tap" a phone line or listen in on an unencrypted VOIP call, doing so without a warrant is a crime. (People who are working on the system and inadvertently hear snippets would not be considered to be committing a crime.)



Fax is the most awful way to send anything. It's totally not secure. It's totally easy to fake and manipulate. It's not easy to fake or manipulate an e-mail, and it's not easy to intercept an e-mail. I realize most people have been told a big lie about fax being secure.

If the fax is sent over the standard PSTN, you'd have to get access to the lines in order to intercept a fax. And once the call reaches the central office, the signal is digitized and put into a digital data stream. Getting one signal out of the digital data stream is tough to do. For more information on the digital data streams, see here (http://www.michael-henderson.us/Papers/Framing(rev%20b).pdf). Getting the data for one call from an optical link is even more difficult. See here (http://www.michael-henderson.us/Papers/SONET-SDH.pdf)for more information. And if you did so without a warrant you'd be committing a crime. Even if you were to intercept a fax that was sent over VOIP you'd be committing a crime by intercepting it, unless you had a warrant.

Perhaps what you mean is that someone can give you a phone number that is not what you think it is and you send a fax to that number. But if you know who you're sending to, a fax is no less secure than a voice call. The fax is going over the same voice circuit and is governed by the same laws.

Mike

Carlos Alvarez
03-20-2018, 6:57 PM
EDIT: Also adding this because I may sound a little harsh... I tend to be blunt and straightforward, particularly on technical topics that I'm very familiar with. I intend no judgments of peoples' choices, they're not hurting anyone. But when I say that something seems like a "silly" idea I'm just saying that from a tech perspective it likely doesn't solve anything meaningful.


Smartphones were built from the ground up to be spies. A less paranoid-sounding way of saying that would be that the business model for smartphones includes gathering information on users that can be sold to advertisers.

Only true about Androids. Apple and MS protect your privacy. You can trivially add an adblocker to an iDevice, and in fact it comes with some of that built in. I can't say how hard/easy it is to add what most people call privacy software to an Android because they don't really help anything at all on any device, computer or handheld. They're just paranoia pacifiers with no useful effect. I use an adblocker on all devices simply because I don't want to see the junk, but it has nothing to do with privacy. Ads that mirror your interests have nothing to do with privacy IMO. But ALL ads are annoying.



Most service providers and phone manufacturers prevent you from adding security measures like this altogether.

Android only again. And if you're really paranoid and you refuse to buy an iDevice, then get one of the built-secure Androids. Or just buy a phone and root it, then do anything you want. The possibilities are there. I believe, however, that it's all pointless and advise against it.



Email is often encrypted in transit BUT only if the person on the other end is set up to receive encrypted email. Not all email providers do this. I believe Google now warns you if someone you're corresponding with is not set up for encryption. Not sure about other providers.

Not true, nearly all mail servers encrypt in flight without user intervention. Users can further set up their own encryption so even the mail server can't read the body of the mail, but right now nearly all e-mails would be impossible for a third party to just capture and read.




Setting up your own email server is, theoretically, easy. One big problem is that major email services (e.g. yahoo, gmail, etc.) won't accept email from unverified sources (i.e. your homebrew email server). This is a spam-prevention tactic. You can deal with this problem but be prepared to do a lot of research and deal with DNS records.

All servers require one to deal with DNS and other technical items. That's the nature of it. It's trivial for a technical person to set up a mail server and everyone will accept mail from it. I've stopped running my own servers however and outsourced to Google. They do it better. Also paid accounts are not scanned for words to market to you. Either way, keyword scanning has nothing to do with real privacy IMO.



If you get some sort of email service from your ISP or hosting company that allows you to put your domain on it, you're just using someone else's email service and I wouldn't bet they aren't scanning your email as well.

Read their policies.



Here is a resource for making your technology use more private: https://www.privacytools.io I have not tried or researched most of the services, but I do use many of the plugins / add-ons.

Define "privacy" first, for your own preferences. I find that almost everything everyone does, like VPNs, is just misunderstood and does nothing for any real privacy or protection. Hiding your IP address has nothing to do with anything I consider private. It only helps you do illegal things, or things that violate terms of service. Such as pirating movies without detection (but there are better ways) or watching media that's regionally restricted. I can't come up with any rational, legal, and non-violating reasons for any consumer to use a VPN. Corporate access, of course, is another matter.

I find the entire OMG SNOOPING ADS hysteria to be silly, and nobody is really giving a damn about important things like government spying and what data you willingly give up to so many places who CAN do damage. For example, no government agents know my real address. That includes the close-to-government companies like banks, or really anyone who does reporting. Just yesterday I pulled my Acxiom report and as always, they think I'm a 30 year old making $30k/year and living in a small apartment (which is a postal box address). I purposely pollute public data about myself and simply don't give out unnecessary info. I bet when your doctor, a government agent, or even the oil change place down the street asks for your address and phone number, you provide it? I do not. I don't carry ID either, almost nobody needs to see that ever, so I fight when it's asked for and not required. You want paranoid but effective ideas, let's go have a beer.

Edwin Santos
03-20-2018, 7:18 PM
Fax is the most awful way to send anything. It's totally not secure. It's totally easy to fake and manipulate. It's not easy to fake or manipulate an e-mail, and it's not easy to intercept an e-mail. I realize most people have been told a big lie about fax being secure.

If this is true, then it's remarkable to me that fax is considered to be HIPPA compliant among healthcare providers but conventional email is not. In the hospital environment I've watched faxes with health information including demographic info, SS#, etc, being faxed all over the place.
Edwin

Brian W Evans
03-20-2018, 7:48 PM
Define "privacy" first, for your own preferences. I find that almost everything everyone does, like VPNs, is just misunderstood and does nothing for any real privacy or protection. Hiding your IP address has nothing to do with anything I consider private. It only helps you do illegal things, or things that violate terms of service. Such as pirating movies without detection (but there are better ways) or watching media that's regionally restricted. I can't come up with any rational, legal, and non-violating reasons for any consumer to use a VPN. Corporate access, of course, is another matter.

I find the entire OMG SNOOPING ADS hysteria to be silly, and nobody is really giving a damn about important things like government spying and what data you willingly give up to so many places who CAN do damage. For example, no government agents know my real address. That includes the close-to-government companies like banks, or really anyone who does reporting. Just yesterday I pulled my Acxiom report and as always, they think I'm a 30 year old making $30k/year and living in a small apartment (which is a postal box address). I purposely pollute public data about myself and simply don't give out unnecessary info. I bet when your doctor, a government agent, or even the oil change place down the street asks for your address and phone number, you provide it? I do not. I don't carry ID either, almost nobody needs to see that ever, so I fight when it's asked for and not required. You want paranoid but effective ideas, let's go have a beer.

Thanks for that info. I do not use Apple products so, yes, I am speaking about Android. I'm skeptical that Apple and MS can compete while adequately protecting what I call privacy, however.

I use a VPN almost daily to access my home network and whenever I use public wifi. Surely you think those are worthwhile reasons? I don't commit crimes, pirate media, or knowingly violate terms of service. I also find that adblockers and firewalls on a rooted Android device (harder and harder to come by, btw) are pretty effective. I use them because most apps don't need to be shipping the contents of my contacts list off to some server, and a surprising number of them seem to want access to things I can't see a reason for.

You stated that you don't see a reason to hide an IP address that has a legal purpose. Does hiding your physical address have a legal or ethical purpose, then?

Carlos Alvarez
03-21-2018, 11:19 AM
I'd have to ask the people who run the site, but I doubt if the ads can view what people are posting.

They can and do. The forum is public. Anyone/anything can read it. Anyone wanting to correlate an ad to the content would do it. And they do.



Also, although people can "tap" a phone line or listen in on an unencrypted VOIP call, doing so without a warrant is a crime. (People who are working on the system and inadvertently hear snippets would not be considered to be committing a crime.)


It's a crime to "tap" e-mail and other electronic systems also. We were discussing whether it CAN be done, not whether its legal.



And once the call reaches the central office, the signal is digitized and put into a digital data stream. Getting one signal out of the digital data stream is tough to do.


Not really all that difficult. Easier than capturing the one e-mail you want to snoop on.



Perhaps what you mean is that someone can give you a phone number that is not what you think it is and you send a fax to that number.


No, I meant that a normal fax/call is generally easier to intercept than an e-mail.

It's not EASY, but the only point was that generally it's hard to snoop on the e-mail. I've had to do both many times for clients and law enforcement.

All of this becomes blurrier now that phone calls (including faxes) are quickly switching to IP instead of actual circuit-switched lines. "Access" to the data becomes very different--both easier and harder. But the fact remains that the e-mail is likely to be encrypted, and the voice call/fax is not likely to be encrypted.

Carlos Alvarez
03-21-2018, 11:23 AM
If this is true, then it's remarkable to me that fax is considered to be HIPPA compliant among healthcare providers but conventional email is not. In the hospital environment I've watched faxes with health information including demographic info, SS#, etc, being faxed all over the place.
Edwin

Yeah, educating people on their silly requirements for things like fax is a big part of my job. For HIPAA-covered clients, we keep the calls, voicemails, and faxes on a private network and/or use VPNs. All our large clients are on a regional private network direct to us.

HIPAA also still requires people to change a too-long password too often, which has been proven to REDUCE security, but government regs are mostly written by idiots. So there's a wink/nod thing with all the auditors where they know you will play games with your password change policies to get by.

Mike Henderson
03-21-2018, 1:31 PM
No, I meant that a normal fax/call is generally easier to intercept than an e-mail.

For a call, either voice or fax, made across the PSTN, please explain how you would intercept the call. Seems to me that the issue is access to the physical lines or the digital data stream. Once you have access, it is possible to intercept a call or fax if you have the proper equipment and knowledge, but I wouldn't call that easy. And even if you got access to the lines, and had the equipment of decode one channel out of the data stream, how would you identify which one to decode. The information about a line is carried in a separate channel (signaling system 7) and is encrypted.

And legal issues play into it. Any corporation, for example, is not going to do wiretapping and risk the consequences of being caught.

Perhaps you're referring to a call made over VOIP, which is not the PSTN.

Over all, I would consider a fax sent over the PSTN to be pretty secure.

Mike

Carlos Alvarez
03-21-2018, 1:58 PM
The e-mails go over the same networks. If you have access to that, then you have access to the voice and fax. The e-mail is encrypted, the fax/voice is not. Therefore, it's easier to grab the fax/voice, but not EASY to do. My only point was about the misconception that fax/voice is more secure.

As far as how *I* would do it, I have full access into a voice/data network, as well as client networks. Again, I do this for a living, and have done lawful intercepts on both PSTN and VoIP.

Also SS7 is basically dead and there have always been lots of places where the encoding is simpler.

Mike Henderson
03-21-2018, 2:31 PM
The e-mails go over the same networks. If you have access to that, then you have access to the voice and fax. The e-mail is encrypted, the fax/voice is not. Therefore, it's easier to grab the fax/voice, but not EASY to do. My only point was about the misconception that fax/voice is more secure.

As far as how *I* would do it, I have full access into a voice/data network, as well as client networks. Again, I do this for a living, and have done lawful intercepts on both PSTN and VoIP.

Also SS7 is basically dead and there have always been lots of places where the encoding is simpler.

While *you* may be able to intercept voice and fax calls, I don't think that makes fax an unsecure method of sending information. You would be constrained by law from doing unlawful intercepts and people without such inhibitions would not have access to the circuits.

Also, it's difficult for me to believe that SS7 is "dead". I know how much work and time went into developing SS7 and getting it accepted worldwide. And how much equipment is dedicated worldwide to use with SS7. I've been out of the business for a while but the telephone companies would have to have made major (expensive) changes to their networks to get rid of SS7. And it would have to have been done worldwide. To say nothing about getting all of the administrations (worldwide) to accept a change from SS7.

When you say that fax is not secure, who do you think is going to compromise a fax that is sent between two doctor's offices across the PSTN?

Mike

Carlos Alvarez
03-21-2018, 2:45 PM
Last time I will try to be clear: Fax is LESS secure than e-mail, but probably secure enough in the real world for most uses. My original point was that the fear of e-mail is unfounded relative to data people are willing to fax or talk about. Fax is not secure because you CAN intercept it, while most e-mail cannot be. If I wanted to target a doctor's office, I could put on a hardhat and tool belt and clip a recorder on their incoming analog phone lines. Not LIKELY to happen, but can, therefore fax is not secure.

The PSTN in general is dead, FCC order. SS7 goes away with it. I've barely touched it, my world didn't really need it for anything.

EDIT: I did a microwave job at the state capital, and was able to access the entire telco room merely by walking in with a hard hat, clipboard, radio, etc. Looking official and walking like I belonged there. Nobody stopped me. I also made it into Rose Mofford's office accidentally, and she called me "darling" while escorting me out. Places are so easy to get into.

Mike Henderson
03-21-2018, 3:36 PM
Last time I will try to be clear: Fax is LESS secure than e-mail, but probably secure enough in the real world for most uses. My original point was that the fear of e-mail is unfounded relative to data people are willing to fax or talk about. Fax is not secure because you CAN intercept it, while most e-mail cannot be. If I wanted to target a doctor's office, I could put on a hardhat and tool belt and clip a recorder on their incoming analog phone lines. Not LIKELY to happen, but can, therefore fax is not secure.

The PSTN in general is dead, FCC order. SS7 goes away with it. I've barely touched it, my world didn't really need it for anything.

EDIT: I did a microwave job at the state capital, and was able to access the entire telco room merely by walking in with a hard hat, clipboard, radio, etc. Looking official and walking like I belonged there. Nobody stopped me. I also made it into Rose Mofford's office accidentally, and she called me "darling" while escorting me out. Places are so easy to get into.

I did some more thinking about this. For a fair portion of my career, I participated in ITU communications standards setting bodies (but not the one that set the SS7 standards) (in fact, it was the CCITT when I started). In those bodies, I interfaced with representatives of the various worldwide administrations. If SS7 is "dead" I know for an absolute fact that the administrations would not accept a replacement (let's call it SS8) unless that replacement provided all the functions of SS7 and more, and was more secure than SS7.

So based on SS7, for someone to intercept a particular call (which would include a fax call) they would first have to have physical access. Then they would have to be able to interpret the signaling in SS7 or SS8, including breaking the encryption, then they would have to find the logical "circuit" for that call, which would probably be on a different physical circuit. That's a tall order for some individual hacker. Governmenal actors can certainly do that, but they can get the access.

If you work in a switching center, you have all the equipment and security access to view a particular "circuit" and the information carried within it. But for someone "outside" it's not so easy.

No, I expect that phone calls and fax across the PSTN are reasonable secure from your average hacker, in addition to being a crime.

And if you get your telephone service from one of the LECs, you, by definition, are using the PSTN. The people who run the PSTN may use IP "circuits" instead of traditional circuits but it's still the PSTN. And when you call someone essentially anywhere in the world, your call has to go over the PSTN. I'd sure like to see some FCC order that the PSTN is "dead". Can you give me a pointer to that order? I didn't think so. The FCC simply does not issue those kinds of orders.

Mike

Edwin Santos
03-21-2018, 3:43 PM
I also made it into Rose Mofford's office accidentally, and she called me "darling" while escorting me out. Places are so easy to get into.

Carlos,
Did Rose Mofford's hair look in real life anything like the magical spun cotton candy it looked like on TV? I always thought she was kind of cool.
For a while there she had a battle of the hair going with Governor Ann Richards of Texas.
Edwin

382028

Carlos Alvarez
03-21-2018, 4:30 PM
http://www.dslreports.com/shownews/The-FCC-Ponders-the-Death-of-the-PSTN-115041

You don't need to attack this at the CO or deeper. There are plenty of places in the PSTN where you could grab the PRI or analog line to the customer, and that's easily hacked. You keep assuming someone is going to attack this at a core. And since the PSTN is dead, it's all going to be IP soon anyway.

Everything we both know about the PSTN is useless now (well, very soon). I've already eliminated all TDM type connectivity like PRI and the like.

Julie Moriarty
03-21-2018, 4:52 PM
Bruce, after reading the news today, perhaps your data was also used to influence elections via Cambridge Analytica.

I'm glad I don't have a Facebook account.........Rod.

Yeah, what CA and Facebook pulled off makes the "You tell two friends and they tell two friends..." concept look anemic. Online privacy is a myth.

Mike Henderson
03-21-2018, 4:54 PM
http://www.dslreports.com/shownews/The-FCC-Ponders-the-Death-of-the-PSTN-115041

You don't need to attack this at the CO or deeper. There are plenty of places in the PSTN where you could grab the PRI or analog line to the customer, and that's easily hacked. You keep assuming someone is going to attack this at a core. And since the PSTN is dead, it's all going to be IP soon anyway.

Everything we both know about the PSTN is useless now (well, very soon). I've already eliminated all TDM type connectivity like PRI and the like.

So there is no FCC order to kill the PSTN - there's just some people who are talking about it. I really doubt if the FCC would issue a technology order - their position has always been that the market makes those decisions. If your premise is that someone would have to tap the access line, either analog or T1 (or ISDN PRI) line (or even an optical link), then certainly someone could intercept the communications, while committing a crime. However, that does not make FAX an unsecure method of communications, per se.

Wiretapping (without a warrant) is considered a fairly serious offense in the US. And I doubt if it's very common.

Mike

[The communications techniques used in the network are determined by international standards bodies of the United Nations (SONET, SDN, T and E carriers, SS7, and many more). None of these were ever mandated by the FCC, nor should the FCC issue such mandates. The structure of the network has never been mandated by the FCC. Perhaps what people are talking about is the political aspect of the network. There are still requirements that voice service be provided (available) to each citizen of the US. If there wasn't such a mandate, the companies would only provide service in the cities where it's profitable. Providing service to an outlying farm is probably not profitable because they will never recover the cost of providing the service. Same is true for electric power in many places, and there's the same kind of mandate.]

Carlos Alvarez
03-21-2018, 5:02 PM
I have no idea how to further say that fax simply is less secure than e-mail, and is not secure in the sense that it's not encrypted.

Carlos Alvarez
03-21-2018, 5:04 PM
Hah, I believe she was wearing something on her head at the time. Obviously it was a long time ago. Scarf, hat, dunno. I was already a little worried about pawing around unescorted, even though I had legit work there. But it was easier to sneak in than to go through the security crap. Also I love to see what I can get away with, especially when there's no real risk.

Mike Henderson
03-21-2018, 5:36 PM
I have no idea how to further say that fax simply is less secure than e-mail, and is not secure in the sense that it's not encrypted.

Sure, that's true. But if it's very difficult for someone to intercept the communications, the fact that it's not encrypted doesn't make a lot of difference.

I don't send faxes anymore (unless forced to), but I wouldn't worry about my fax being intercepted because it was not encrypted. And I think that's why doctors still use faxes, even with their problems (the image often isn't very good and the information can be misinterpreted because of that, the receiving fax can have a paper jam and not report that the fax didn't go through). Fax is an old technology with a lot of issues but interception is not one of the major ones.

Mike

Carlos Alvarez
03-21-2018, 6:02 PM
I just intercepted a fax. Because of this conversation, I had a discussion with a neighbor who unfortunately still has to use fax for work, and works from home. I had never really thought about this, and he deals in trade secrets for a big company you've heard of. I asked if I could do it, but he didn't help in any way, and there was no way for him to know I did it. I simply broke the tiny lock off his demarc and threw on some clips. He's bringing this info to his CIO/CTO. Because people know he works for them, know the value of his secrets, and he'd be easy to find. Just one example.

Mike Henderson
03-21-2018, 6:19 PM
I just intercepted a fax. Because of this conversation, I had a discussion with a neighbor who unfortunately still has to use fax for work, and works from home. I had never really thought about this, and he deals in trade secrets for a big company you've heard of. I asked if I could do it, but he didn't help in any way, and there was no way for him to know I did it. I simply broke the tiny lock off his demarc and threw on some clips. He's bringing this info to his CIO/CTO. Because people know he works for them, know the value of his secrets, and he'd be easy to find. Just one example.

Sure, but what you're doing is wiretapping. With that you could hear all of his conversations, also. Wiretapping is not specific to fax. This is assuming he has standard analog POTS service.

If he had something like AT&T Uverse, what you'd see at the demark is the VDSL signal. So you'd have to be able to interpret the VDSL signal and then extract the fax out of the signal. But, as you pointed out, if you wiretap and have the knowledge and equipment you can see anything in the data stream.

But wiretapping at my house is just not something that keeps me awake at night. What you're arguing is that someone can wiretap our telephone lines, not that fax is inherently insecure.

Mike

Carlos Alvarez
03-21-2018, 6:51 PM
Fax is inherently insecure because it can be wiretapped just like phone calls. E-mail is inherently more secure because in most cases it cannot.

Neither keeps me up at night, but I don't use fax ever, and my voice calls go over a VPN since I own the network. Also I'm not a target. My neighbor is. How much industrial espionage has been done with wiretaps?

Julie Moriarty
03-21-2018, 7:27 PM
I have no idea how to further say that fax simply is less secure than e-mail, and is not secure in the sense that it's not encrypted.

But don't you think those sophisticated hackers out there doing the stealing ignore fax transmissions because they think it's just old people sharing recipes? :rolleyes:

Carlos Alvarez
03-21-2018, 7:42 PM
But don't you think those sophisticated hackers out there doing the stealing ignore fax transmissions because they think it's just old people sharing recipes? :rolleyes:

Unfortunately fax is used to transmit the most sensitive info. Stupid but true. The old people sharing recipes are doing it with Evernote.

Jim Becker
03-21-2018, 7:53 PM
Mike, Carlos is correct that SS7 has been largely depreciated since it was developed for the old class 4 and class 5 network switches which in the current world have been replaced by soft switches and IP/SIP in the network core. "Circuits" are a thing of the past outside of legacy gear that may still exist in some "mom and pop" areas in the US and some countries elsewhere. "PSTN" runs largely on IP/SIP at this point beyond the local CO and any remaining copper lines to homes and businesses.

I just retired from 21 years in that ecosystem that dates back to ol' Alexander Graham Bell. :)

Edwin Santos
03-21-2018, 7:58 PM
This is an interesting discussion.
Help out a non-techie here - so if I'm following correctly, a fax can be intercepted by wiretapping the analog phone line whereas an email cannot.
So this would require physical presence in the sense that say, an Albanian hacker would have to get to the incoming or outgoing analog line in order to wiretap it.

However, can an email be accessed remotely by the Albanian hacker if he/she had the skills to hack the email server through the internet from wherever? I'm trying to understand the distinction in difficulty as well as the distinction in proximity.
I'm thinking of the news stories of how John Podesta's email was hacked during the Clinton campaign.

Edwin

Carlos Alvarez
03-21-2018, 8:05 PM
Mike, Carlos is correct that SS7 has been largely depreciated since it was developed for the old class 4 and class 5 network switches which in the current world have been replaced by soft switches and IP/SIP in the network core. "Circuits" are a thing of the past outside of legacy gear that may still exist in some "mom and pop" areas in the US and some countries elsewhere. "PSTN" runs largely on IP/SIP at this point beyond the local CO and any remaining copper lines to homes and businesses.

I just retired from 21 years in that ecosystem that dates back to ol' Alexander Graham Bell. :)

The ugly thing is that the brand new neighborhood near me was ... wired with telco copper. Sigh. I thought, "Bless their little hearts." Our local cable company offers coax-based gigabit at $120/mo. Doesn't suck, when you work from home and everything is online.

Jim Becker
03-21-2018, 8:08 PM
The ugly thing is that the brand new neighborhood near me was ... wired with telco copper. Sigh. I thought, "Bless their little hearts." Our local cable company offers coax-based gigabit at $120/mo. Doesn't suck, when you work from home and everything is online.
For pretty much all of my 21 years with my former employer, I was virtual office at home. FiOS was a game-changer for me when it became available because I could finally use ALL the bells and whistles I had been selling to my customers. :) And the symmetrical service clearly helped a lot when higher-bandwidth video became commonplace. I don't understand why ANY provider would install legacy copper in a new neighborhood at this point...sheesh!

Mike Henderson
03-21-2018, 8:08 PM
Mike, Carlos is correct that SS7 has been largely depreciated since it was developed for the old class 4 and class 5 network switches which in the current world have been replaced by soft switches and IP/SIP in the network core. "Circuits" are a thing of the past outside of legacy gear that may still exist in some "mom and pop" areas in the US and some countries elsewhere. "PSTN" runs largely on IP/SIP at this point beyond the local CO and any remaining copper lines to homes and businesses.

I just retired from 21 years in that ecosystem that dates back to ol' Alexander Graham Bell. :)

It doesn't matter what you call it, Jim, the international telephone network is going to have a control system that has all the functionality and security of SS7, and probably more. So for discussion we can use the functionality of SS7 and not be too far off. You still have to set up a call, report call progress indications, and tear down the call when it's complete.

But the control system used does not have anything to do with whether a fax is a secure way to send information between two doctors. I maintain that it's pretty hard to hack into a specific call unless you're part of the system.

I haven't looked it up, but I expect that fax over IP is handled by coding/decoding the fax modem at the end points and then sending the actual data across in IP packets. The alternative would be to carry the fax modem modulation over the network, which would require replicating a 64kbps circuit. If only the data is sent, that data could be encrypted, just like any other data. I don't know if fax over IP encrypts.

I think we agree that hacking into the telephone network and extracting one specific "circuit" is extremely difficult for an outside person and that the only reasonable way someone could get the data is to wiretap the access line.

Mike

Jim Becker
03-21-2018, 8:12 PM
The major carrier networks are IMS three-layer networks and use SIP for signaling. All of the functions you describe are part of that design and there's no SS7 utilized.

Fax over IP is very much related to Modem over IP. The same is true for legacy "secure" communications that entities like the government uses, although they are quickly moving to secure SIP via endpoints like General Dynamics vIPer sets.

Mike Henderson
03-21-2018, 8:16 PM
The major carrier networks are IMS three-layer networks and use SIP for signaling. All of the functions you describe are part of that design and there's no SS7 utilized.

Fax over IP is very much related to Modem over IP. The same is true for legacy "secure" communications that entities like the government uses, although they are quickly moving to secure SIP via endpoints like General Dynamics vIPer sets.

Note that I said that whatever was used for control MUST have at least the functionality of SS7, and probably has more functionality and security. If I use the functionality of SS7 for discussion, I'll be pretty close.

Mike

[I just looked up T.38 (fax over IP) and there's no mention of encryption.]

[It's been over 10 years since I retired but when I retired there were an enormous number of class 5 switches in the network serving the local loops. There were also an enormous number of DSLAMs in the neighborhoods that served the local loops and then went back to the class 5 switch via an optical link. That investment was huge. I doubt if every class 5 switch has been replaced by some other type of equipment today.
It was interesting to visit some of the old central offices in urban areas. They were sized for the steppers used to switch calls years ago. So what you'd see is a large, somewhat empty, building with a class 5 switch at one end.]

Carlos Alvarez
03-21-2018, 8:19 PM
This is an interesting discussion.
Help out a non-techie here - so if I'm following correctly, a fax can be intercepted by wiretapping the analog phone line whereas an email cannot.
So this would require physical presence in the sense that say, an Albanian hacker would have to get to the incoming or outgoing analog line in order to wiretap it.

However, can an email be accessed remotely by the Albanian hacker if he/she had the skills to hack the email server through the internet from wherever? I'm trying to understand the distinction in difficulty as well as the distinction in proximity.
I'm thinking of the news stories of how John Podesta's email was hacked during the Clinton campaign.

Edwin

Nearly all "email hacking" is done by non-technical methods such as using social engineering to find the password. I have no idea who John Podesta is or his story, but did you hear the method used to crack the account? Also there's a big difference between somehow logging into the place where the mail is stored and intercepting it on the way there. Most of this conversation has been about interception. A fax stored on a server, or an e-mail stored on a server both have the same vulnerability. A fax sitting on a machine is open to snooping with physical access.

Attacking networks--voice or data--can be done either with physical access or with remote cracking methods. A claim was made that it's very hard to crack the networks, and sure, "hard" is relative. But it happens.

Bruce Wrenn
03-21-2018, 8:20 PM
Boy has this thread assumed a life of it's own, right down a rabbet hole. Back to original post. The brand of SR flour I mentioned is a regional brand, not a national brand. I had talked to SIL by phone earlier, but didn't mention any brand names. She asked me to email her recipe. The recipe was for biscuits, FYI.

Carlos Alvarez
03-21-2018, 8:26 PM
For pretty much all of my 21 years with my former employer, I was virtual office at home. FiOS was a game-changer for me when it became available because I could finally use ALL the bells and whistles I had been selling to my customers. :) And the symmetrical service clearly helped a lot when higher-bandwidth video became commonplace. I don't understand why ANY provider would install legacy copper in a new neighborhood at this point...sheesh!

I was so thrilled when I got an ISDN BRI at home to dial into my office with (I managed a state-wide ISP at the time). Damn, I'm old. They installed copper because the laws are still antiquated and they must. Though I guess that brings in DSL too, for those who don't care about speed and reliability. It's cheap.

Carlos Alvarez
03-21-2018, 8:51 PM
SS7 is horribly insecure, and it's not hard to secure SIP. You can also do vastly more with SIP. We have direct IP to T-Mobile and Verizon now, so we can totally bypass the old real PSTN for those calls. Which means we get high-quality voice (enough for non-techs to comment on it), better caller ID control, etc etc.

Jim Becker
03-22-2018, 9:01 AM
The big issue with the class 5 switches is that they have been out of production for a very long time and there is no ability to get parts and software updates anymore. Lucent stopped making the 5ESS a long time ago and the DMS switches from the former Nortel are in the same situation. One of my government customers was using a 5ESS and couldn't get software to "upgrade" to T1 PRI...and that was ten years ago. Yea, there are still a bunch of them out there in local COs, particularly in more rural areas, but they are becoming a significant liability.

Carlos Alvarez
03-22-2018, 10:54 AM
The big issue with the class 5 switches is that they have been out of production for a very long time and there is no ability to get parts and software updates anymore. Lucent stopped making the 5ESS a long time ago and the DMS switches from the former Nortel are in the same situation. One of my government customers was using a 5ESS and couldn't get software to "upgrade" to T1 PRI...and that was ten years ago. Yea, there are still a bunch of them out there in local COs, particularly in more rural areas, but they are becoming a significant liability.

There's a phase-out plan for neutral tandems. The cell carriers are already heavily interconnected by SIP; our calls to Verizon and T-Mobile are pure SIP, no PSTN. It's all moving quickly because it's more expensive and wastes more time to just maintain old class 5 gear than to just re-do it all with SIP. Not to mention the future costs of electricity, cooling, maintenance, and the like. A friend of mine works for <big carrier> and it's been a couple years since they replaced their thousands of network probes with virtualized software. They gather 13 petabytes/week of network activity logs.

Jim Becker
03-22-2018, 11:52 AM
Yes, IMS (IP Multimedia Subsystem) Networks that are pure SIP offer so much more than traditional TDM networks, including the types of integrations that wireless and other carriers need for all kinds of billing situations, scaleability and interoperability with legacy systems. The architecture is so well thought out that my former employer based it's entire enterprise SIP architecture on it, just stripping out the carrier focused things that were not needed in the enterprise to reduce complexity.

Dave Zellers
03-22-2018, 7:40 PM
Boy has this thread assumed a life of it's own, right down a rabbet hole. Back to original post. The brand of SR flour I mentioned is a regional brand, not a national brand. I had talked to SIL by phone earlier, but didn't mention any brand names. She asked me to email her recipe. The recipe was for biscuits, FYI.

Now I see the problem here. Biscuits will telegraph through to the surface after they dry. Especially in soft woods. Much better to spend the money and get a domino.

This has been covered many many times here.

Apologies. :D :)

Jim Becker
03-22-2018, 7:44 PM
"One ringie dingie...."

https://i.pinimg.com/originals/f8/62/6b/f8626b90afcd4bee89eb7eb8dc339a23.jpg

andrew whicker
03-22-2018, 8:03 PM
Do you find yourself making large biscuits all the time? If not, the smaller domino should be just fine.

That's what I use and I make fancy biscuits all the time.

Bruce Wrenn
03-22-2018, 8:34 PM
Do you find yourself making large biscuits all the time? If not, the smaller domino should be just fine.

That's what I use and I make fancy biscuits all the time.Made a pan full this morning (21 biscuits.) Some were plain biscuits to be eaten with country ham or jelly and butter, and others were cinnamon raisin biscuits with cream cheese icing. Y'all eat yet?

Lee DeRaud
03-22-2018, 8:41 PM
Made a pan full this morning (21 biscuits.) Some were plain biscuits to be eaten with country ham or jelly and butter, and others were cinnamon raisin biscuits with cream cheese icing. Y'all eat yet?Oh great, now we're going to get flooded with ads for ham and raisins.

Dave Zellers
03-22-2018, 11:56 PM
As long as you eat the biscuits before the gluten completely dries, there should be no problem.

Dave Zellers
03-23-2018, 12:05 AM
"One ringie dingie...."

https://i.pinimg.com/originals/f8/62/6b/f8626b90afcd4bee89eb7eb8dc339a23.jpg

OMG! Is there a tip jar here? :cool:

Peter Kelly
03-29-2018, 12:31 PM
http://prxbx.com/email

Some more private alternatives to Gmail, Outlook, Yahoo, etc.

Chase Mueller
03-29-2018, 1:08 PM
I don't know about y'all, but I think I need to make my way to AZ and have a beer with Carlos :D

Carlos Alvarez
03-29-2018, 2:06 PM
I don't know about y'all, but I think I need to make my way to AZ and have a beer with Carlos :D
...........
382625

Chase Mueller
03-29-2018, 2:16 PM
...........
382625

OMW man, first round on me haha

Jim Becker
03-29-2018, 3:39 PM
I see you restocked, Carlos... :) :D