lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100717183304.97F.0@paddy.troja.mff.cuni.cz>
Date: Sat, 17 Jul 2010 23:41:16 +0200 (CEST)
From: Pavel Kankovsky <peak@...o.troja.mff.cuni.cz>
To: full-disclosure@...ts.grok.org.uk
Subject: In-band signalling (was: Re: NuralStorm Webmail
 Multiple Vulnerabilities)

On Thu, 15 Jul 2010 Valdis.Kletnieks@...edu wrote:

> > (*) In-band signalling in telephone networks.
> Feel free to elucidate a *feasible* way to have deployed out-of-band
> signaling on the installed copper-pair base back then.

I won't pretent I am an expert on PSTN technology. Nevertheless
frequency-division multiplexing was already in use in 1950s so I do not
find the idea of literal out-of-band signalling (i.e. to make the bandwith
of trunk link channels slightly wider than what is allowed to come from
local loops and use that extra bandwidth for signalling) completely
implausible.

> Also, compare the *actual* costs and losses due to phreakers snagging
> free service due to in-band signaling to the eventual cost of upgrading
> every single central office to something that supported out-of-band.

This smells like a red herring. They had to upgrade all of them to support
direct distance dialing in the first place and there have been more
upgrades not related to the eventual widespread deployment of SS7 in
1990s.

> Maybe those bell-heads weren't so dumb...

That was not my point.

It might have paid off to accept the risk of abuse when hardware was
crude and expensive and when knowledge and gear needed to exploit the
vulnerability was not easily available. Although I suspect it was more
a case of being lucky enough to get away with a lack of foresight than 
a deliberate risk management decision.

But it is 2010 now. Everything I mentioned earlier has changed years ago.  
Hardware is incredibly more powerful and much cheaper. Every kiddie has
got a PC and high-speed Internet connection. All knowledge is one Google
search away (okay, I am a little bit exaggerating here). Yet the old 2600
Hz whistle lives on in apostrophes and less-than signs because we still
have not learned to keep control data and user data segregated.

-- 
Pavel Kankovsky aka Peak                          / Jeremiah 9:21        \
"For death is come up into our MS Windows(tm)..." \ 21st century edition /

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ