Re: verizon archive security glitch?

[David Farber <dave () farber net>]

________________________________________
From: Matt Blaze [mab () crypto com]
Sent: Sunday, June 08, 2008 1:05 PM
To: David Farber
Cc: ip
Subject: Re: [IP] Re:  verizon archive security glitch?

Yes, as Lauren points out, it's almost impossible to use the normal
customer service mechanisms of many large organizations to report
security or reliability problems that fall outside the normal
"script."  And even when once is successful at getting through,
there's a serious risk of being misunderstood.

Unfortunately -- and surely this isn't what any organization actually
wants -- the most reliably effective reporting mechanism these days
is often public shame via the 'net.

A couple weeks ago, I noticed a small problem with a local ATM that was
obviously malfunctioning or at least misconfigured.   I tried to report
the problem to the assistant manager of the adjacent branch, who was
unfailingly polite and yet completely impervious to the possibility
that there might actually be something wrong or worth investigating.

Later that day, a Friday, I ended up using the incident as a jumping
off point for a blog post about the relationship between ATMs and
electronic voting machines.  The purpose wasn't to embarrass or
criticize the bank, but rather to illustrate how even very "secure"
ATMs can fail (and thus so might electronic voting machine, whose
security
is a much harder technical problem).  The post is here:

   http://www.crypto.com/blog/atms_can_fail_too/

An unintended side effect was that I got the bank's full attention.
The offending machine was taken out of service by the following Monday.
That week I received (unsolicited) email messages from two different
bank
employees telling me that a senior manager had seen my posting and, in
the words of one, "gone ballistic", both about the underlying failure
and
the branch's unwillingness to take my report seriously.

So the story had a happy ending (although perhaps it didn't end so
well for the hapless assistant branch manager who didn't take the report
in the first place).

Of course, this solution -- just blog it -- doesn't scale.  The only
reason it likely worked in my case is that I have a reasonably widely
read blog that found its way to people high enough up in the bank
food chain to make a difference.   But perhaps the possibility
that the random customer whose complaint is being brushed aside
might actually turn out to have a large audience on the web will
serve as an incentive for big organizations to become more responsive
to everyone else.  (I'm not holding my breath, of course).

-matt



On Jun 7, 2008, at 12:17, David Farber wrote:

> ________________________________________
> From: Lauren Weinstein [lauren () vortex com]
> Sent: Saturday, June 07, 2008 12:16 PM
> To: David Farber
> Cc: lauren () vortex com
> Subject: Re: [IP] verizon archive security glitch?
>
> It's worse than that.  I know of cases where people have tried to
> report such glitches to various organizations and have then found
> themselves accused of hacking or violating privacy, and having to
> then jump through hoops to prove they didn't!  This doesn't exactly
> encourage people to be proactive about reporting such problems
> when they're found.
>
> --Lauren--
> Lauren Weinstein
> lauren () vortex com or lauren () pfir org
> Tel: +1 (818) 225-2800
> http://www.pfir.org/lauren
> Co-Founder, PFIR
>   - People For Internet Responsibility - http://www.pfir.org
> Co-Founder, NNSquad
>   - Network Neutrality Squad - http://www.nnsquad.org
> Founder, PRIVACY Forum - http://www.vortex.com
> Member, ACM Committee on Computers and Public Policy
> Lauren's Blog: http://lauren.vortex.com
>
> - -
>
> > ________________________________________
> > From: Deborah Alexander [dsalexan () optonline net]
> > Sent: Saturday, June 07, 2008 10:53 AM
> > To: David Farber
> > Subject: verizon archive security glitch?
> >
> > Dave – for IP-ers, if you think of use...
> > Scrolling blogs this a.m., I came across a posting that seems
> > interesting in light of the presumptive Republican Presidential
> > Candidate’s views about telecoms
> > , privacy and immunity:
> >
> > From
> > http://www.explananda.com/
> >
> > “On Thursday morning, I was trying to access some old cell phone
> > bills online at www.verizonwireless.com. As I clicked through the
> > months, most of the time th
> > e correct bill came up (as a pdf). But twice for some reason
> > verizonwireless.com served up someone else’s bill. The first time I
> > just absentmindedly clicked a
> > way and tried again. But the second time it occurred to me that
> > there was something really squirrelly about the fact that I was
> > able to access some other ran
> > dom dude’s bill. I could see all the calls that this guy made in
> > September, 2007, his account number, and the fact that his bill was
> > past due that month. That’
> > s hardly the biggest security breach in history, but it’s also a
> > legitimate concern for people who care about their privacy, and
> > rely on companies to take rea
> > sonable steps to secure personal information.
> > I spent 30 minutes on the phone with Verizon trying to get someone
> > to understand that there was clearly some technical glitch on their
> > end, and that it raise
> > d a privacy issue (and a potential legal issue for them).
> > <snip>
> > “[Verizon] promised me that someone would call me back with an
> > explanation. No one has called yet.
> > “I also made them promise to call this guy and tell him that
> > someone else had been able to view information that should have
> > been kept private, but about 5 mi
> > nutes after I got off the phone with them I realized that that was
> > unlikely. So I called the guy up and left a message. He called back
> > a few hours later. No
> > one from Verizon had called him.
> > <snip>
> > [ADDED BY WAY OF FOLLOW UP COMMENT]:
> > “I found it sort of interesting from an organizational perspective.
> > Obviously Verizon gets a lot of calls from a lot of angry or
> > strange people every day. So
> > they need pretty robust filters, so that upper level managers don’t
> > have to talk to every crackpot who calls with some issue that the
> > operators aren’t in a pos
> > ition to properly assess. The result is that there was apparently
> > no way at all for them to escalate the issue efficiently and
> > effectively. According to them
> > - and this may well be true - they just couldn’t get a hold of a
> > supervisor who would be high up and smart enough to grasp the legal
> > implications of my point
> > , let alone the privacy and public relations aspect.
> > <snip>
> >
> > Deborah S. Alexander, Esq.
> > Alexander Law Offices LLC
> > 395 Springfield Avenue
> > Berkeley Heights, NJ 07922
> > Phone: (908) 898-1800
> > Fax: (908) 898-1801
> > Email: dsaLaw () Alexander-Legal com<mailto:dsaLaw () Alexander-Legal com>
> > Web: www.Alexander-Legal.com<http://www.alexander-legal.com/>
> >
> >
> >
> >
> >
> > -------------------------------------------
> > Archives: http://www.listbox.com/member/archive/247/=now
> > RSS Feed: http://www.listbox.com/member/archive/rss/247/
> > Powered by Listbox: http://www.listbox.com
>
>
>
> -------------------------------------------
> Archives: http://www.listbox.com/member/archive/247/=now
> RSS Feed: http://www.listbox.com/member/archive/rss/247/
> Powered by Listbox: http://www.listbox.com




-------------------------------------------
Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com