Interesting People mailing list archives
Re: verizon archive security glitch?
From: David Farber <dave () farber net>
Date: Sun, 8 Jun 2008 10:23:10 -0700
________________________________________ From: Matt Blaze [mab () crypto com] Sent: Sunday, June 08, 2008 1:05 PM To: David Farber Cc: ip Subject: Re: [IP] Re: verizon archive security glitch? Yes, as Lauren points out, it's almost impossible to use the normal customer service mechanisms of many large organizations to report security or reliability problems that fall outside the normal "script." And even when once is successful at getting through, there's a serious risk of being misunderstood. Unfortunately -- and surely this isn't what any organization actually wants -- the most reliably effective reporting mechanism these days is often public shame via the 'net. A couple weeks ago, I noticed a small problem with a local ATM that was obviously malfunctioning or at least misconfigured. I tried to report the problem to the assistant manager of the adjacent branch, who was unfailingly polite and yet completely impervious to the possibility that there might actually be something wrong or worth investigating. Later that day, a Friday, I ended up using the incident as a jumping off point for a blog post about the relationship between ATMs and electronic voting machines. The purpose wasn't to embarrass or criticize the bank, but rather to illustrate how even very "secure" ATMs can fail (and thus so might electronic voting machine, whose security is a much harder technical problem). The post is here: http://www.crypto.com/blog/atms_can_fail_too/ An unintended side effect was that I got the bank's full attention. The offending machine was taken out of service by the following Monday. That week I received (unsolicited) email messages from two different bank employees telling me that a senior manager had seen my posting and, in the words of one, "gone ballistic", both about the underlying failure and the branch's unwillingness to take my report seriously. So the story had a happy ending (although perhaps it didn't end so well for the hapless assistant branch manager who didn't take the report in the first place). Of course, this solution -- just blog it -- doesn't scale. The only reason it likely worked in my case is that I have a reasonably widely read blog that found its way to people high enough up in the bank food chain to make a difference. But perhaps the possibility that the random customer whose complaint is being brushed aside might actually turn out to have a large audience on the web will serve as an incentive for big organizations to become more responsive to everyone else. (I'm not holding my breath, of course). -matt On Jun 7, 2008, at 12:17, David Farber wrote:
________________________________________ From: Lauren Weinstein [lauren () vortex com] Sent: Saturday, June 07, 2008 12:16 PM To: David Farber Cc: lauren () vortex com Subject: Re: [IP] verizon archive security glitch? It's worse than that. I know of cases where people have tried to report such glitches to various organizations and have then found themselves accused of hacking or violating privacy, and having to then jump through hoops to prove they didn't! This doesn't exactly encourage people to be proactive about reporting such problems when they're found. --Lauren-- Lauren Weinstein lauren () vortex com or lauren () pfir org Tel: +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, NNSquad - Network Neutrality Squad - http://www.nnsquad.org Founder, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Lauren's Blog: http://lauren.vortex.com - -________________________________________ From: Deborah Alexander [dsalexan () optonline net] Sent: Saturday, June 07, 2008 10:53 AM To: David Farber Subject: verizon archive security glitch? Dave – for IP-ers, if you think of use... Scrolling blogs this a.m., I came across a posting that seems interesting in light of the presumptive Republican Presidential Candidate’s views about telecoms , privacy and immunity: From http://www.explananda.com/ “On Thursday morning, I was trying to access some old cell phone bills online at www.verizonwireless.com. As I clicked through the months, most of the time th e correct bill came up (as a pdf). But twice for some reason verizonwireless.com served up someone else’s bill. The first time I just absentmindedly clicked a way and tried again. But the second time it occurred to me that there was something really squirrelly about the fact that I was able to access some other ran dom dude’s bill. I could see all the calls that this guy made in September, 2007, his account number, and the fact that his bill was past due that month. That’ s hardly the biggest security breach in history, but it’s also a legitimate concern for people who care about their privacy, and rely on companies to take rea sonable steps to secure personal information. I spent 30 minutes on the phone with Verizon trying to get someone to understand that there was clearly some technical glitch on their end, and that it raise d a privacy issue (and a potential legal issue for them). <snip> “[Verizon] promised me that someone would call me back with an explanation. No one has called yet. “I also made them promise to call this guy and tell him that someone else had been able to view information that should have been kept private, but about 5 mi nutes after I got off the phone with them I realized that that was unlikely. So I called the guy up and left a message. He called back a few hours later. No one from Verizon had called him. <snip> [ADDED BY WAY OF FOLLOW UP COMMENT]: “I found it sort of interesting from an organizational perspective. Obviously Verizon gets a lot of calls from a lot of angry or strange people every day. So they need pretty robust filters, so that upper level managers don’t have to talk to every crackpot who calls with some issue that the operators aren’t in a pos ition to properly assess. The result is that there was apparently no way at all for them to escalate the issue efficiently and effectively. According to them - and this may well be true - they just couldn’t get a hold of a supervisor who would be high up and smart enough to grasp the legal implications of my point , let alone the privacy and public relations aspect. <snip> Deborah S. Alexander, Esq. Alexander Law Offices LLC 395 Springfield Avenue Berkeley Heights, NJ 07922 Phone: (908) 898-1800 Fax: (908) 898-1801 Email: dsaLaw () Alexander-Legal com<mailto:dsaLaw () Alexander-Legal com> Web: www.Alexander-Legal.com<http://www.alexander-legal.com/> ------------------------------------------- Archives: http://www.listbox.com/member/archive/247/=now RSS Feed: http://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com------------------------------------------- Archives: http://www.listbox.com/member/archive/247/=now RSS Feed: http://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
------------------------------------------- Archives: http://www.listbox.com/member/archive/247/=now RSS Feed: http://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- verizon archive security glitch? David Farber (Jun 07)
- <Possible follow-ups>
- Re: verizon archive security glitch? David Farber (Jun 07)
- verizon archive security glitch? David Farber (Jun 07)
- Re: verizon archive security glitch? David Farber (Jun 08)