Re: Details of Unlisted Number Address "Exploit" Revealed

[David Farber <dfarber () cs cmu edu>]

Begin forwarded message:

From: "Bob Frankston" <bob37-2 () bobf frankston com>
Date: December 21, 2007 12:36:10 PM EST
To: <dave () farber net>, "'ip'" <ip () v2 listbox com>
Cc: "'Lauren Weinstein'" <lauren () vortex com>
Subject: RE: [IP] Re:   Details of Unlisted Number Address "Exploit"  
Revealed

I see http://DigitalLanding.com as a symptom of the problem rather  
than the problem itself. Given the perversities of history it would  
seem that the proper way to get a unlisted number is to get a cell  
phone – even better, buy it in another state or even another country.

The whole idea of charging for unlisted numbers is based on old  
version of the "network effect" in that you needed to make people  
aware of each others' phone numbers in order to find value in the new  
fangled phone networks.

Today we see in cellular just the opposite -- there have been many  
failed attempts to create cellular directories but it turns out to be  
unnecessary because there are countervailing forces –we now assume  
that we can connect to others but now the challenge (as we see with  
spam) is to give people control over their availability.

Notice that the DigitalLanding only works for (legacy) landline  
numbers. What is very strange is how very different we view cellular  
and landline telephony – they are the very same thing but as with the  
rest of medieval telecom the nature is defined by a provider not the  
user.

Yet we keep piling on assumptions. Companies now presume they can get  
access to the addresses in the billing records and E911 would even  
require that even as the world has moved on. Telephony is a construct  
defined by the FCC and as such we shouldn’t be surprised to see our  
naïve assumption embedded implicitly in policy.

-----Original Message-----
From: David Farber [mailto:dave () farber net]
Sent: Friday, December 21, 2007 10:59
To: ip
Subject: [IP] Re: Details of Unlisted Number Address "Exploit" Revealed



Begin forwarded message:

From: "L. Leon Campbell" <campbell () udel edu>
Date: December 21, 2007 10:41:10 AM EST
To: dave () farber net
Cc: "L. Leon Campbell" <campbell () udel edu>
Subject: Re: [IP] Details of Unlisted Number Address "Exploit" Revealed

Dave:

When I tested the site given, with my current unlisted phone number,
it gave me
my previous address where I have not lived for almost seven years.

I had a completely different unlisted phone number at that address.

Leon.

---- Original message ----
> Date: Fri, 21 Dec 2007 08:18:11 -0500
> From: David Farber <dfarber () cs cmu edu>
> Subject: [IP] Details of Unlisted Number Address "Exploit" Revealed
> To: "ip" <ip () v2 listbox com>
>
>
>
> Begin forwarded message:
>
> From: Lauren Weinstein <lauren () vortex com>
> Date: December 20, 2007 7:32:18 PM EST
> To: dave () farber net
> Cc: lauren () vortex com
> Subject: Details of Unlisted Number Address "Exploit" Revealed
>
>
>
>            Details of Unlisted Number Address "Exploit" Revealed
>
>                http://lauren.vortex.com/archive/000347.html
>
>
> Greetings.  After due consideration, some expert advice, and since
> the firm involved obviously feels that they're not doing anything
> wrong (will everyone else agree?), I've decided to release the
> details of the unlisted number to address lookup "exploit" I
> outlined in "Psst! Wanna Know the Street Address for an Unlisted
> Number?" ( http://lauren.vortex.com/archive/000346.html ) -- please
> see that entry for the background on this situation.  This "exploit"
> is still up and running as of a few minutes ago.
>
> As noted previously, this technique is extremely successful at
> revealing the street addresses for U.S. landline (non-mobile)
> telephone numbers, including those aforementioned unlisted numbers.
> The returned information isn't 100% accurate for all queries and
> some numbers are missing -- I suspect stale data in certain
> situations -- but it's very "good" overall.
>
> Also, the full text of a response I received from the company's
> (apparent) public relations firm is available for your perusal and
> amusement ( http://lauren.vortex.com/acceller-rocket-response.txt ).
>
> Calling this procedure an "exploit" is actually a misnomer as you'll
> see, since it's simple and direct to access once you know where it
> lives -- and even that is unfortunately relatively obvious, so it
> seems very likely that it's already being used for "unintended"
> purposes.  My hope is that broader knowledge of this matter may lead
> to a more rapid resolution of the situation, since the firm chose
> not to limit this data after I called their attention to the privacy
> issues involved.
>
> As you probably know, various large cable television and other
> service firms (e.g. Time Warner, Comcast, etc.) offer an array of
> Web-based offers via their Web sites.  The most typical means for a
> new customer to query these sites about available offers at their
> location is via their phone number.
>
> And as it turns out, a major provider of back-end database and
> related operations provides various functional aspects of many
> related Web sites.  Enter a phone number at the Time Warner offers
> site, for example, and it's likely to actually be processed by this
> back-end service (sometimes in a quite obvious manner).
>
> It is also apparently possible to make similar queries via voice
> calls to a toll-free number at the back-end services firm's call
> center, but I have not explored the non-Web aspects of this
> operation in detail.
>
> Rather than worry about the cable firms in this example (though we
> could go through their sites as well when they link to this company)
> we might as well go directly to the back-end operation that's
> providing the information, since their own site apparently gives
> access to exactly the same data.  Here we go ...
>
> The company under discussion is Acceller, Inc., and you can visit
> their services access page at:
>
> http://digitallanding.com
>
> In the upper right-hand corner of the page, you'll find a "Search
> For Offers" form where a phone number may be entered.  It's that
> simple.  (Note: You may need to have cookies enabled for this to
> work, and Internet Explorer may perform better than other browsers
> in some cases for these queries.)
>
> Enter a phone number, watch the bouncing ball for 10 seconds or so,
> and then you stand an excellent chance of seeing a street address
> revealed for U.S. non-mobile numbers (along with the various service
> offerings available at that address, of course).
>
> The "geniuses" who programmed that site probably won't be getting
> any job offers from Google anytime soon.
>
> The implementation error is serious and obvious.  The proper
> procedure to avoid revealing private information about unlisted
> numbers would be to have the user enter their address -- not reveal
> it from the database based on phone number -- and then verify it yes
> or no against the database (even this suggested technique has some
> privacy issues, but they are relatively less serious and could be
> minimized in various ways).  By taking the "helpful shortcut" of
> revealing the address, the system is putting at risk -- for free and
> unlimited access by anyone at any time -- the private address
> information for unlisted numbers.
>
> I'm afraid that's really all there is to it.  Simple, clean, and
> neat, to be sure.  If you've been paying your local phone company
> every month for an unlisted number and are upset by this situation,
> I urge you to contact your telephone company, Acceller, and -- who
> knows? -- perhaps even your legislative representatives might be
> intrigued, among other persons and groups.
>
> Unfortunately, this isn't the sort of Christmas present that most
> people probably would wish for.  But it appears to be Acceller
> that's doing all of the ho-ho-hoing.
>
> --Lauren--
> Lauren Weinstein
> lauren () vortex com or lauren () pfir org
> Tel: +1 (818) 225-2800
> http://www.pfir.org/lauren
> Co-Founder, PFIR
>  - People For Internet Responsibility - http://www.pfir.org
> Co-Founder, NNSquad
>  - Network Neutrality Squad - http://www.nnsquad.org
> Founder, PRIVACY Forum - http://www.vortex.com
> Member, ACM Committee on Computers and Public Policy
> Lauren's Blog: http://lauren.vortex.com
>
>
>
> -------------------------------------------
> Archives: http://v2.listbox.com/member/archive/247/=now
> RSS Feed: http://v2.listbox.com/member/archive/rss/247/
> Powered by Listbox: http://www.listbox.com


-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com

-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com