A few got through. My favorite was "Hi, this is <mummble> in accounting. We need to verify your position, manager, and salary." That tends not to work well when your company is 50 people under the same roof.

I remember having to train a help desk staff where I worked on the concepts of social engineering because of an incident where someone called the HD and the conversation went something like this:

HD:	Help Desk, this is Rick, how can I help?
Caller:	Hi! I seem to have to have forgotten my password and I'm locked out, can you reset my password to "welcome"? I'll change it to something else after I get in.
HD:	What is your name?
Caller:	OH! My name is Rick C*****!
HD	(composing himself as his name is Rick C*****) Oh really? That's my name...
Caller:	**** Click! ****

As a result of that incident I was tasked with developing procedures that the Help Desk could use to verify the identity of callers. (call backs, challenge/response, etc.) There were several other attempts after that which were foiled as the company became larger and more visible.

I happen to be an Air Force Reservist, and our policy within the Network Control Center is, "If you know the person that you are talking with, you can change their password over the phone, else they have to come to the NCC and show their identification". While the base has several hundred people who work there, after a while you get to know most of them, as they are the ones who constantly have all sorts of PC problems.

TStanley
--------

you can change their password over the phone, else they have to come to the NCC

The challenge we had was we were a company that had 25 (later 53) locations around the country. Some of the people we supported were mobile users and could be literally anywhere.

Blind callbacks were the preferred method of verification.

Caller:	My name is Sid Down and I need my password reset
HD:	OK Mr. Down I see you are a mobile user, can I call you right back on your Cell Phone?
Caller	Errrmmm... I don't have my cell phone handy and I'm not in the office... can you call me at (555) 555-1212?
HD	Mr. Down please call us back when you are either in your office or have your cell handy. We don't have (555) 555-1212 as an authorised callback number for you at this time.
Caller	(trys another approach) WHO THE Expletetive Deleted IS YOUR MANAGER!?!?! I WANT MY PASSWORD RESET NOW!
HD	I understand your frustration Mr Down and want to help. I will conference your manager into this call as well as my own manager. Perhaps your manager can vouch for your identity.
Caller	****CLICK!******

This is a sanitized version of a conversation that actually took place hetween m help desk and a caller.

A person was looked up in the corporate contacts list and could recieve a callback on one of up to four numbers that were prearranged. There was a security question they were asked (e.g. "What is your dog's name?") that was pre-arranged and then the password would be reset.

In addition an email was sent to a special mailing list "security-managers" so that an eye would be kept on accesses by this user for a few days.

This all worked fairly well. Wasn't a perfect system but it worked. Additionally mobile users were issued SECURE-ID tokens and had to pass the challenge response system in order to dial in.

---

Peter L. Berghold	Brewer of Belgian Ales
Peter@Berghold.Net	www.berghold.net
Unix Professional

About 5:00 pm, the phone rang... Programmer: "Hello?"
Caller: "Hi, I'm calling from --- recruitment firm... I saw your resume the other day... very impressive... Are you looking for a job?" (I've never posted or submitted my resume anywhere.)
Programmer: "Not really..."
Caller: "What kind of job do you do?" (And you're interested in someone you don't know what he's doing?)

Programmer: *blink* "Why don't you tell me what it said in my resume?"
Caller: *awkward pause* *CLICK*

Substitute telemarketer for caller. "Put this number on your do not call list."
"What is the number?"
"You called me; you have the number."
"No I don't"
*click*

Caller ID can be nice, too. If it comes up "private number", that's the first warning that something is fishy.

yours,
Michael

If it comes up "private number", that's the first warning that something is fishy.

Something fish? Oooh, somebody values their privacy, be very afraid. There are these things called privacy laws, and the phone company lets you configure how your CallerID info is handed out. You can either have to hit *69 (i forget what the real code is) before making a call in order to stop your caller id info from going out, or you have to hit *69 to allow your caller id info to go out. I choose option 2.

Howdy!

The situation is not symmetrical. For the recipient of the call, it is a privacy issue.

If you are the one initiating the connection, your expectation of "privacy" (or more accurately, anonymity) is lower. I have no obligation to allow that connection if you refuse to offer any identifying information.

I see this as analagous to deciding whether or not to open your door to a caller. If the person is masked -- their identity obscured, would you open the door? Now consider that person being unmasked, but unknown to you. Then consider that person being known to you. You have the option in all these cases to remain hidden in your home -- to not reveal your presence or identity to the caller.

If someone wishes to make telephone calls without their number being visible to the recipient, one can consider this analagous to a masked caller at your front door. I believe the phone companies in the US offer the ability to block calls that have caller ID blocked, presenting the caller with a message that they must not block caller ID in order to get their call to ring through.

yours,
Michael

Anonymity is a double-edged sword -- no one can harass you, but no one can reward you, either. Anybody agreeing with what you just said has no way to respond except replies, and it's more convenient within our community to provide ++ and --.

you have to hit *69 to allow your caller id info to go out

Please leave a message at the tone. If you want me to contact you, you may want to leave some way for me to do so, privacy or not.

Oh, and if you show up at my door, you may have to wait a while:

• You:   *knock knock*
• Me:   Who's there?
• You:   Why do you want to know? What do you need to know for?
• Me:   You knocked to come in, right?
• You:   Yes. It would be polite of you to let me in now.
• Me:   Right. Who are you?
• You:   I won't stand for these privacy violations! *leaves*
• Me:   Gee, I feel cheated.

I'm not a person who enjoys wasting time, so I don't pick up phone calls from people who don't show up on my caller ID. I'm not an ER, firefighter, cop, etc., so I really don't get important calls, for any reason. Friends email me, family emails me, and I can choose if I want to read their email -- based on who they are.

Now, I do know someone with a perfectly legitimate reason to block their number (well, in their mind, anyway, but I digress...it's their choice). They don't have a problem with leaving a message. If they do, I will advise them to show the caller ID info when they call, and if they've got a problem with that...I can just stop returning their messages. I'll never pick up the phone when they call. :)
-----------------------
You are what you think.

Something fish? Oooh, somebody values their privacy, be very afraid

Not really. As long as the people you're interested in know the rule then they'll reveal their phone number. The whole point is to identify the person on the other end of the line!

I'm with herveus on this, and use a similar system on my personal line. I don't want to talk to anonymous people.

So what kind of job do you do.. ?? ;-)

this is why i just never directly answer the phone. unless i recognize the number on caller id, or am actually expecting someone to call me, all incoming calls go to voicemail. my friends and family all know that this is how i operate so they know that if they call me from a strange phone they should leave a message and wait a few minutes for me to call them back.

Kevin Mitnick's The Art of Deception: Controlling the Human Element of Security and Bruce Schneier's Secrets and Lies are essential reading on this topic.

anders pearson

After paying (big huge phone company who makes really expensive switches that I won't mention by name because I don't want to get sued) to implement a large switching system for our call center, everything was great until I got a page on a Sunday afternoon because our switch was pretty unhappy about a sudden spike in call volume.

After driving in to see what was going on, I realize a bunch of calls routing from New York to all sorts of places on the planet via our 800 number for tech support.

After killing the entire New York and New Jersey area codes since we had no customers in that area, I heard the phone ring in our call center and heard the tech say, "it's that guy from the phone company again, what do you want me to tell him."...phone company? I thought...and had the call transfered to me.

After answering the call I hear, "Hi this is Rick with (really big phone company who put in my switch) and we are testing the lines on your system...could you transfer me to 910 so I can run a test?"

It turns our techs had been dutifully transfering what they believed to be phone company employees to 9, outside line and then 1 0 for an international operater...great...that explains the $2k phone bill I now had to talk to our CFO about...

Of course, my point is this.....we locked the system down pretty good (or so we thought at the time) but no security implementation can every fully take into account the kid who will hold the back door open as he comes in from his smoke break for the guy who is about to steal all your laptops ...you can try to implement whatever you want but to overcome the human factor you have to keep the awareness level high by communicating openly with your employees and making them part of, and accountable for your security processes.

That program is based on the fact that NT systems don't store the password with a salt value. That company claims that its program is "the first of its kind for NT", but I'd be very surprised if that was true. Not using salt in a hashed password is just stupid, as these guys demonstrated.

----
I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident.
-- Schemer

Note: All code is untested, unless otherwise stated

Ahhh Hah!

Kristofer Hoch

Si vos can lego is, vos es super erudio

oh man...you have to continue this soap opera...did Lora sleep with Jim? Did Matt wake up from his coma?

Don't leave us hanging until next season...what happened at that 4p interview????? the Monks want to know....

;-)

Wish it was a soap opera, I know more about HCFA/HIPAA Information Security guidlines than I ever care to admit. Where are those frontal lobe lobotomys when you need them. =/

-Waswas

I'm really not hot for this kind of software. While it is admittedly better than just having one password for all your services, it's still really bad. The former is really heinous as any of your services getting compromised results in a total compromise of all your services, but the latter is still bad as the compromising of this one particular environment will result in total compromise. Better to have your exclusive common password storage area be your brain, so that the only way it can be "cracked" is with a blow torch and a pair of pliers by a really callous person.

If you are going to use something like Password Safe, at least make sure that you do it on a machine where you and only you have superuser privileges. On any other machine it is a potentially dangerously irresponsible assumption to make that the tty/keyboard/whatever is not being snooped. This also logically entails that it is a bad idea to ssh from machine to machine to machine, unless you are the exclusive super user on each hop along the way. Instead, always connect directly to the machine on which you want to work so that the only one capable of seeing your cleartext password is the system actually validating your credentials.

Admittedly, having to maintain a different password for each of many services can be difficult, but there is a way to generate very strong passwords there aren't difficult to remember. Pick a good, long sentence from a book, and then use the first letter from each word as your password. Thus, my last sentence would become the password paglsfabatutflfewayp. The English language is sufficiently noisy and random that this generates strong, virtually unguessable passwords (it also helps that you can't grep dead trees), but even if you forget your password, you could ostensibly go and retrieve it just by remembering the page of the book from which you created it. Just don't make it the first sentence on the first page of the book that you go around propounding as your favorite book ever. :-)

There are similar programs available for PDAs, which I vastly prefer to keeping it on one computer. Not just because I have near-complete control over physical access to my PDA, but also because I have to move from various systems throughout the day, and need something that can be kept with me.

----
I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident.
-- Schemer

Note: All code is untested, unless otherwise stated

This is a common discussion at work... No security system is completly error-proof, or has holes in it. It's a matter of where you want to be able to have trust. If you trust your computer and your file system, then it's reasonable to have an encrypted file to store passwords, especially with a relativly strong encryption method such as blowfish. If you *don't* trust your hardware, then methods that you have suggested work better, though storing passwords with a strong password still provides some stability. (Even then, you do change your passwords every other week right? ...)

----
Zak
Pluralitas non est ponenda sine neccesitate - mysql's philosphy

This one is platform independent. I use it at both LINUX and Windows: http://www.geocities.com/ramix_info/passwordmanager.html It looks quite better that Password safe and also uses Blowfish. It's from a java Indian programmer and it is over version 2.1, by now.

Argh, java! (couldn't resist)... otherwise cool.

----
Zak
Pluralitas non est ponenda sine neccesitate - mysql's philosphy

If I were at all going to go that route, I'd prefer to use just a GPG-encrypted plaintext file. That way at least I'm using a known and proven encryption implementation. It's got no UI of any sort either, which I prefer.

Makeshifts last the longest.

thraxil had it correct about Mitnik's book. It's a good read for anybody that's answering a phone for any company. You at least have a better idea on what to watch out for.

There is no emoticon for what I'm feeling now.