Bad Stuff Business ofcom scams security voip

VoIP Fraud — Technological Conventionality Achieved

VoIP has reached the mainstream. We know because the fraudsters are coming after us. welcomes VoIP Week guest contributor Colin Duffy, CEO of Voipfone and ITSPA Council member.

VoIP merges two of the largest industries in the world: Telecommunications ($5.0 trillion) and the Internet ($4.2 trillion). It is big business.

Estimates of VoIP market size vary, though they are universally large. For instance, Infotenetics Research estimates the global residential and business VoIP market to be worth $64bn in 2014, growing to $88bn in 2018. Visiongain, on another hand, puts the 2018 value at $76bn. WhichVoIP (Bragg) has it as $82.7bn by 2017, and also claims that VoIP calls account for 34% of global voice traffic – 172bn call minutes. And then there is the United States Federal Communications Commission, which estimates that “In December 2011, there were 107 million end-user switched access lines in service [ the USA and..] 37 million interconnected VoIP subscriptions.

And with opportunity comes the thief:

ICT Recent Scenarios: VoIP Week: Colin Duffy
(Corporate ICT)


(You have to love that New Scotland Yard hack…..)

But it’s not confined to big organisations; perhaps a little closer to home:

“A family-run business says it has ‘nowhere left to turn’ after hackers rigged its telephone system to call premium rate phone numbers — racking up a bill of nearly £6,000. ‘We reported it to the police, but we were told there was very little likelihood of them catching anyone so they wouldn’t be able to investigate’, she added.”                               

— Lancashire Telegraph

The Communications Fraud Control Association publishes a global fraud loss survey, and in 2013 they estimated that the global telecommunication industry loss to fraud was an enormous $46.3bn, which included:

  • VoIP hacking ($3.6bn),
  • PBX hacking ($4.4bn),
  • Premium Rate Services Fraud ($4.7bn),
  • Subscription Fraud ($5.2bn)
  • International Revenue Share Fraud ($1.8).

Over 90% of the telephone companies included in the CFCA’s survey reported that fraud within their company had increased or stayed the same since the last report.

Globally, the top emerging fraud type was identified as Internet Revenue Sharing Fraud, with Premium Rate Service Fraud (both international and domestic) also in the top five. Of the top five emerging fraud methods, PBX Hacking was the most important with VoIP Hacking at number three.

Who’s doing all this is a big and interesting topic, but here’s a starter:

Top Ten Countries where fraud

Top Ten Countries where fraud

East Timor

CFCA, Global Fraud Loss Survey, 2013

What can be done?

Earlier this year a customer of Voiceflex was hacked to the tune of £35,000 when over 10,000 calls were sent to a Polish Premium Service number over a period of 36 hours. The customer refused to pay, which resulted in a court case that the telco lost. Now the industry is looking to its terms and conditions for protection, but it’s clear that this isn’t enough – the cause needs addressing.

The best approach would be to cut off the money supply – if Telcos could withhold payments for known fraudulent calls, the activity would end. But this solution requires changes to inter-operator agreements and cross-jurisdiction interventions.

“We are currently in discussions with our fellow EU regulators about steps that may be taken to address cross-border [Dial Through] fraud and misuse. It is important that companies using VoIP systems take steps to ensure both the physical and technical security of their equipment in order to avoid becoming an ‘easy target’ for this type of criminal activity […..] We are approaching the NICC and relevant trade associations to ensure their advice is updated to help businesses better protect themselves against newer types of dial-through fraud that have emerged as technology has developed.”

— Ofcom 2013

For once I agree with Ofcom. The industry needs to work harder at target-hardening. We need to be making this industry safer for our customers.

There’s a lot to be done but a good start is to read and apply the guidance issued by ITSPA – the UK trade organisation for Internet Telcos.

I’m taking a close personal interest in VoIP fraud and security, and I invite anyone who has more information or who wishes to discuss this in more detail to contact me at email

A naive user asked me, ‘why can’t you just make safe telephones?’ Well, why can’t we?

Engineer security voip

Announcing ITSPA VoIP security workshop sponsored by Yealink is teaming up with ITSPA, the Internet Telephony Service Providers’ Association, to produce a twice yearly VoIP security workshop. The first one is during the Convergence Summit South show at Sandown Park on October 8th, Read on to find out more.

Announcing the ITSPA/ VoIP security workshop

Telecom Fraud – Part 1 – A Case Study for the Channel by a Paul Taylor from Voiceflex @ 2.30pm

The Part 1 talk which is part of the main Convergence Summit South programme nicely sets the scene for the ITSPA/ VoIP security workshop colocated at the same venue. The ITSPA/ VoIP security workshop goes into the main types of fraud perpetrated on VoIP service providers and their customers and discusses how to stop it happening in the first place.

Telecom Fraud – Part 2 – Prevention is Better than the Cure by ITSPA (the UK VoIP trade body) & @ 3.15pm

yealink secure voip provisioningThis VoIP security workshop is intended to provide attendees with an overview of the current fraud threats facing the Telecoms/VoIP industry, outlining its scale and discussing the ways to mitigate against these problems before it is too late. Looking from all angles (service provider, reseller and vendor perspective), there will be short presentations from various industry players, outlining their experiences, followed by a panel and Q&A session to discuss the best methods of combatting fraudulent activity and best practice tips. Nibbles and drinks will follow to continue the discussion.

The format includes:

1) Telecoms/VoIP Fraud – the current state of play and how bad is it? – Simon Woodhead of Simwood

2) An outline of three specific types of fraud and what to do to tackle it

a. PBX Hacks David Cargill

b. Accessing SIP credentials  Steve Watts of Yealink

c. Identity spoofing Colin Duffy of VoIPfone

Simon Woodhead will also do a slot on general protection against non-specific threats.

3) Audience Q&A – How to prevent fraud, spot fraudsters and adhere to best practice.

This week is also going to be VoIP week on We have a gang of regular contributors providing posts but if you have an idea for an interesting VoIP posts let us know. You have to be from the VoIP/ITSP industry and it should not be a blatant sales pitch for your company’s products and services.

Finally on the 8th October, the same day as the VoIP security workshop, we are having the 5th UC Exec Dinner. This time the speaker is Dean Elwood, CEO of Voxygen. Dean is coming to talk to us about what is happening with OTT VoIP services in the big telco community. This is only open to senior execs in the UC industry. More details here.

Bad Stuff End User piracy security

Website Blocking Report

See if your website is being blocked by ISPs using the Open Rights Group (ORG) website blocking Blocked resource.

Had an interesting tweet this morning from @boggits pointing me at, specifically this link. It shows, as is seen in the header screenshot, that three mobile networks: 3, O2 and EE have blocked users access to

My only prior personal experience of website blocking is when the Timico firewall blocked access to the blog. V funny you have to admit but at least I had direct control over that situation and was able to report it to myself myself, if you see what I mean. It was simply blocking access to blogs rather than having noted lots of dodgy content.

Blocking blogs as a blanket act is now a somewhat naive and outdated activity.

None of the mobile networks are blocking access to at the moment, as far as I know. Maybe hundreds of people complained. Don’t argue – it could be what happened:). Typically mobile networks block dodgy sites as standard although you can call them to ask for the blocks to be removed:

“ring ring (x20) … hello this is your mobile operator customer service executive here … oh you want the blocks removed (snigger snigger) … certainly sir, all done for you … ”

I had to do it once because the SIM in my laptop was being blocked from accessing the online portal I was using to manage my VoIP account. Also there was a fun scenario where our private APN service was being used to apply policies to corporate network access and I’d deliberately type in porn addresses to show website blocking in action. Jared the IT must have had a few eyebrow raises at that one.

Website blocking by court order for the likes of Pirate Bay haven’t yet been applied as far as I am aware. Someone is sure to point out my mistake if I’m wrong there.

Anyway that’s it on the website blocking front for today. Gotta go to Laandan. Ciao amigos.

End User security

Lock screen strategy – show your home phone number

Showing your home phone number on your lock screen could avoid a lot of problems if the phone is lost.

I’ve always had “Tref’s phone” as text on the lock screen on my phone. Once when the phone was accidentally left on the bar at the cricket club it was returned to me immediately. V handy.

The other day I was chatting to someone whose kid had somehow left their phone on a bus. Must have fallen out of his pocket. Wasn’t certain it wasn’t stolen but it was certainly gone. They reported the loss at a police station and were able to track that phone but not in sufficient real time to catch up with whoever had whipped it.

At the police station they could see the phone moving alongside the Brayford pool (see yesterday’s pic of swans). They rang the phone but it immediately disappeared off the screen. Clearly it must have been thrown in the water.

Now the moral of this tale is all about the lock screen. Had the kid had his home phone number on the lock screen there is a chance the problem would not have arisen. The “finder” could have rung the home number. Maybe even collected a reward. As it is the phone was permanently lost. A locked phone is no use to anyone. Why steal it?

I can see a scenario or two where this might not work. If a girl had her home phone number on her phone and someone picked it up off the table in a night club for example. The chances are she is probably quite choosy about who she shares that number with.

I’ve changed my lock screen to include my home number. Makes a lorra sense to me.

That could be it for today. Moving kid1 from Oxford to London. That’s Lincoln – Oxford – London – Lincoln. Will have some downtime in Oxford between 4pm and 7pm whilst he finishes a split shift – if anyone is around for a cuppa. Phamily foto below outside his London office.


security voip

Wot? No Password?

UM Labs Ltd. Founder and CEO Peter Cox’s post is based on a presentation given at a recent ITSPA workshop on the risks of auto provisioning.

Everyone understands the need for security on the Internet. We all know the importance of using strong passwords and — painful as it may be — regularly changing those passwords. As such, would it surprise you to learn that there is one widely used Internet service that routinely provides sensitive information to anyone that asks without asking for a password or employing any other form of authentication?

The service I refer to is phone auto provisioning. If your company has an IP phone system (as most mid-to-large companies do) or if you outsource your phone system to an IP service provider, the chances are that your phones are using auto provisioning and possibly without using authentication. ITSPA has recognised the problem and is working on producing guidelines to address it.

One of the benefits of VoIP is that you can take a phone out of the box, plug it in just about anywhere, and it works. Of course, there is a lot going on behind the scenes. For instance, for an IP phone to work it must first be configured with such details as a phone number, the network address of the system it should connect to, and a password the phone uses to authenticate itself to the service provider or internal phone system. Calls cost money, so phones must be identified and authenticated when they connect to the service and when they are used to make calls. The problem is that the complete configuration for a phone is long and complex. It could include 100 or more parameters, for example:

	sips persistent tls:     1
	download protocol:       HTTPS
        sip line1 proxy ip:
	sip line1 registrar ip:
        sip line1 proxy port:    5060
	sip line1 registrar port:506
	sip line1 password:      xxxxxxxxxxxxxxxxx

Of course, nobody wants to have to type such information in, so this is where provisioning steps in. When a handset is connected it contacts a pre-defined provisioning server (just a specialised web server), identifies itself via its unique MAC address, and downloads its configuration. Simple! The problem, though, is that most provisioning servers identify the phone (particularly when hardware IP phones are connected) solely via its MAC address — a 12-digit value unique to each phone that is normally printed on the phone alongside the serial number.* As such, if a provisioning server gets a request for a MAC address it recognises the server replies with the complete configuration needed to configure the phone….and most provisioning servers DO NOT ask for a password or use any other authentication mechanism. Thus, anyone who knows or is able to guess your phone’s MAC address can download its configuration, including the password needed by the phone to make calls.

Distributing passwords to anyone who asks without some form of authentication is clearly a bad idea. And guessing MAC addresses is not as difficult as it sounds. All an attacker has to do is to connect to a provisioning server and try each of the 16.7 million possible addresses for a specific vendor, which may sound like a big challenge but which in truth is not. To support this point I recently wrote a very simple script to do exactly this in just 5 minutes. I then pointed my script at a service provider’s provisioning server and ran it using a restricted set of 1,000 address. Running on a £25 Raspberry Pi, my script took roughly 7 minutes to complete and returned the complete configuration of two phones including passwords. And as I had no way of knowing if any of the 1,000 MAC addresses belonged to phones connecting to the service provider, 1,000 is a good hit rate.

At a rate of 7 minutes to scan 1,000 MAC addresses it would take 86 days to scan the entire range of 16.7 Million addresses used by a particular phone manufacturer. Then, having done that, I could get the configuration — including the password — for every phone from a single vendor used by the targeted service provider. And what if I was not willing to wait 86 days? I could invest in faster hardware or spend a bit more time writing a more efficient script (or both) and easily complete the scan in a week.

The information that my script returns would be invaluable to an attacker, offering an easy route for call fraud that could leave the victim with a bill of tens or thousands of pounds. Thus, ITSPA’s initiative to address the problem could not be more timely.

*All systems connecting to a network, whether a wired Ethernet connection or a WiFi connection, must have a globally unique MAC address hard-wired in when the device is built. These MAC addressees are managed by the IEEE, with each manufacturer assigned a six digit prefix (A list of vendor prefixes is published at MAC addresses are base 16 numbers, so the remaining 6 digits can be used to create 16.7 million unique addresses.

Business online safety security voip

Voice Fraud – You Need to Act! welcomes VoIP guest contributor Simon Woodhead, CEO of wholesale voice provider Simwood.

In February, we published VoIP Fraud Analysis, a white paper that details Simwood’s three years of operating a Honeypot, coloured in by many years of real-world experience servicing wholesale voice clients of all sizes and seeing them compromised. Our research has been very well received in official circles from OFCOM to ACPO, at industry events comprising scarily competent people, and we’ve since been able to compare notes with others in darkened rooms who study this for a living. Of course, I won’t repeat the full content of the white paper here — and it certainly wouldn’t be appropriate to do so — but I will be glad to share a few observations from it.

VoIP fraud — an estimated $46bn a year problem — has come as no surprise to anyone, and as we’ve run through the mechanism of attack the majority of people in the audience have seen at least parts of the behaviour we describe in the wild. If we were describing other kinds of crime most people would be looking in from outside, but VoIP fraud is pervasive and everyone in the industry has seen it at some level. Similarly, nobody has questioned the solutions proposed; some of which are unique to Simwood though they can be employed by any provider on almost any equipment. Despite this, people remain reluctant to act and, dare I say, a little complacent. It is somebody else’s problem until it is their problem, and by then it may very well be too late. Remember, $46bn is the estimated measure of the good guys’ incompetence…the bad guys’ intent is infinite and, as we’ve seen, can quite literally put a provider out of business in just hours.

The sad fact is that the bad guys are becoming far more professional. Gone are the days of script-kiddy intruding with such blunt force that it was apparent as a DoS attack. They are still there, of course, and can still be very effective in breaching completely unprepared networks, but the serious people — the professionals — are…well, professional. There’s no impatience or fervour to their attacks and they do their homework very very well. Their reconnaissance is unobservable to those not looking out for it at the packet level, and their early compromise testing is lost amongst legitimate call traffic for those unaware of the test numbers identified. Then they wait, patiently.

Christmas 2013 was a busy time for us with almost every night seeing one of our customer’s end-users compromised. Actually, we saw the same customers compromised repeatedly night after night, as the bad guys had identified a specific vulnerability present in the equipment they’d deployed to their end-user businesses. Where the customers were ISPs (with a defined block of IP addresses containing customer equipment) the attackers had been able to identify a list of similar targets on their network vulnerable to the same attack. This would have taken a long time and a lot of patience, before striking when eyes were furthest from the ball. On every single occasion we identified the incident, proactively made contact with our customers to advise and help resolve the incident. The attackers left quietly, knowing they had a long list of other targets and could come back later. They did, every night for the Christmas period.

Don’t be fooled into thinking this is just a “VoIP” problem. Many incidents are targeted and exploit non-VoIP technologies (e.g., those present by virtue of traditional PBXs being retro-fitted with IP capability) while many others are at other levels altogether, such as the http interface of CPE or provider admin systems. The traffic may pass over VoIP as a consequence, but in many cases once the VoIP side of it has been contained it will then pass over traditional phone lines connected to the same equipment. It must be an anxious time waiting for the CPS invoices afterwards!

My point here is not to scare you, but to highlight two trends: (1) providers are becoming more complacent, and (2) attackers are becoming more professional. A destructive combination, indeed, and one that is sure to end in more tears. Attackers are not going to become less capable and less professional, so the only option is for providers to be less complacent and to — this is critical — take action. Very few if any are doing everything they could, whereas others dismissively rely on techniques that may help but are incomplete and therefore give false confidence. The bad guys can turn on an attack at any point after the reconnaissance is complete, and if you think they cannot then how will you notice and be able to react when they do?

The solutions are often simple and free, however they require a willingness to implement and generally bring many other benefits. By way of example, the vast majority of providers operate SIP on UDP 5060 because that is the out-of-the-box behaviour, whilst you’d struggle to find equipment nowadays that doesn’t support TLS. Not only are TLS endpoints far less common targets, but TLS and SRTP also give end users the privacy I think they already expect they have. Similarly, billing more frequently and getting as close to real-time as possible not only enables fraud monitoring but provides massive operational and commercial benefits too. Your carrier monitoring and enforcing fraud controls on your wholesale account, safely away from your network, is by far the most effective preventative measure, and some of us do that to varying degrees.


There are many more solutions contained in the Simwood VoIP Fraud Analysis white paper, and we urge you to implement them, and also to lean on your carrier to help you to do so. Please note that in all the “Christmas” examples it was we the carrier — not our customers — who noticed end-user compromise.

The key take-away I want to leave you with is that if you are having no trouble sleeping at night because you believe it can’t/won’t happen to you, then you really need to act now. Your network may already be compromised, with eyes awaiting your being off the ball, perhaps over a coming Bank Holiday.

VoIP Week Posts:

Engineer security

Oops – was that the red button? Nuclear near uses

Following last week’s post in which we discussed the precautions taken by Nominet to withstand nuclear attack we beginning to realise how sensible this was.

A Chatham House Report Too Close for Comfort: Cases of Near Nuclear Use and Options for Policy describes thirteen incidents of near nuclear use. It’s almost like reading the notes used in preparation for a James Bond movie with words like “failed coup”, “Kashmir standoff” and “Operation Anadyr”. A tale of espionage, conflict escalation and mistaken identity. In fact it’s nearer to Johnny English and Austin Powers than James bond with stories like the president leaving the secret launch codes in his trousers pocket when they were sent to the dry cleaners.

The worry is that in a world you would think totally foolproof the causes include faulty computer chip, technical error and exercise scenario tape causing a nuclear alert.

The Chatham House report names and shames those involved – you could easily have guessed:

country times involved in
near nuclear use
US of A 4
Russkis 6
us (ie United Kingdom) 1
India 2
Pakistan 2
Israel 1

It’s quite pleasing to note that we, the UK, have only been involved in one incident. We are obviously far more reliable than the Yanks or the Russins. Innit. You must also forgive me for lapsing into the language of Hollywood when describing some of the countries involved. I ws born when the cold war was still in full swing – “my name is Harry Palmer and I work for the government for thirty pound a week”.

All I can say is, that as someone working in the internet industry, I’m glad the network was designed to be nuclear bomb proof and that Nominet have taken precautions…

Bad Stuff End User online safety security

Heartbleed – a pain in the proverbial

Big fuss doing the rounds over the Heartbleed bug. Google it. Every man and his dog1 is saying it is really bad and offering advice which basically says change your passwords oh and btw it might not make sense to change it yet because your specific service might not have patched their SSL.

Now this is the problem. I have 75 sets of credentials for accessing online services. Each one has a complex and unique password. It’s going to take hours to change them all.

A few are more important than others, Google and banking for example. I checked Lloyds Bank. There are no notifications on their website. No advice. No words of comfort saying “don’t worry Tref you are ok son”. Now I can’t believe that a bank like Lloyds with presumably a huge security team hasn’t got it covered.

I checked them using LastPass and got the message “A Server header was not reported, you should assume this site could be vulnerable.” Now this may be because the site is vulnerable or it may be that Lloyds has its website nailed down so that services such as LastPass can’t ping it for information. Not being an expert in this field I don’t know.

Maybe I don’t need to worry about it anyway. Lloyds uses 2 factor authentication. Is that affected? Hmm. No idea.

I read about  tech so picked up the Heartbleed story. My dad doesn’t read this stuff. He is 80. He reads the sports pages, the political news and, oh I don’t know, headlines from 1956. Anything really but not news about Heartbleed.  Yeeeeoooooooowwwwnggg – right over his head. He probably doesn’t even know most passwords he has created. Probably a majority of the population will be in the same boat.

A lot of people out there will be oblivious to Heartbleed, oblivious to whether their services are affected and oblivious as to whether they need to do anything about it. What’s to do?

I’d envisage each of the 75 services I have an username and password with will be wanting to send me an email advising me of a course of action. Not received one yet…

lastpass heartbleed check

Other security related posts:

Who sells your contact information?
1 Rover2
2 Could be Bonzo

ecommerce Engineer security

New Joules shop opens – queue remains calm, Bruce Schneier signs book

two_pence_thumbCould hardly contain my excitement walking to work this morning. A new shop has opened on Lincoln High Street!

I wouldn’t have notice were it not for the fact that a woman got in my way trying to take a photo of the queue. I too like to take photos (of queues) so I reversed in my tracks, whipped out my journalistic photo device and took two pics just to be on the safe side. David Bailey would have been confident with only taking one.

It’s unlikely I will be visiting this shop. It sells

Business security spam UC

Selling your contact information – who does it?

One of the things I’ve been looking forward to in life post Timico is having a cleaner inbox. I don’t get spam using Gmail and the platform very kindly filters most commercial mails in to a tab called “Promotions”.

This I love. I do look occasionally and note that the mails are typically from rewards membership accounts and their ilk. I am ok with this.

My Timico mailbox, RIP, used to get tons of unwanted rubbish from companies I had no interest in and who

Engineer security servers

Lloyds Bank – 2 out of 7 servers “down”

Problems with Lloyds Bank & TSB cashpounts attributed to failiure of 2 out of 7 servers by BBC.

Interesting article on BBC Radio 4 Today Prog this morning. Apparently last night some Lloyds & TSB customers were unable to use their debit cards for a couple of hours or so. Not me. I was at home.

The point is that apparently two servers were down. It’s a bit of an eyebrow raiser that this could happen with just two servers going down. Doesn’t sound like good capacity planning. I’d have thought they’d be load balanced with plenty of headroom on each server that would allow for such an eventuality.

Can’t be right unless there’s something specific re security for such systems that doesn’t allow them to do that.

One wonders what would have caused two servers to go down at the same time. Rack outage maybe? No generator bup? Suspect we won’t find out and I’m only mildly interested.

The other observation relates to that comment by the reporter re people at petrol stations whose cards were rejected.  Unless they had alternative means of payment they had to wait at the petrol station until someone came along and paid for them.

Petrol stations in my experience can fail over to a manual card swipe using old fashioned slips of paper. Maybe not all of them. Or maybe because the card processing system was not “down” generally the specific Lloyds customers weren’t trusted.

That’s all.

PS no such thing as 100% uptime – see this post on Vodafone outage

End User security

Intro & Password Pain by @LindseyAnnison

I’m grateful to Tref for leaving the corporate treadmill and embarking on this new venture.  Although he never appeared to hate, or even dislike, his day job as some others in the industry seem to (in fact, having seen him in situ in the Timico offices several times, he seemed to positively revel in it!), I am very much looking forward to his posts, especially about monetising this blog, and hence the new company. So, I would first like to say thanks for the chance to guest post and wish him the best of success.

I guess I’d better briefly introduce myself. I have campaigned for ubiquitous, affordable and, in particular, rural broadband since the mid 90s when I was trying to set up my Internet marketing business in the Yorkshire Dales.  I met Tref because he was kind enough to allow a bunch of broadbandits to invade the top floor of Timico for a colloquium a few years ago. I am currently trying to take a break from all things broadband to write more books (I have so far published six), an internet marketing course for SMEs, and to get back to my core skillset (Internet Marketing and Web PR), and my own business which keeps being put on the backburner because of the broadband shenanigans in the UK. I’m a guest/ghost blogger on many sites, copywriter, occasional ranter, and can be found on Twitter. Usually late at night.

I thought I would begin my guest posting with a tale of woe – the Absolute Pain of Passwords. Is it just me or do others have this problem too?

I have several devices – an iOS smartphone (the iThing), an Apple tablet (iThing2), a Windows laptop, a Remembering PasswordsPC (that can boot into either Ubuntu or two different versions of Windows) and a Mac Mini. That makes a total of seven separate devices. And then there are the many times I might need to use someone else’s device eg whilst travelling, when my battery is flat, cybercafe etc.

If I go to log in to, say, a social media account on one of these devices, and I cannot remember my password, then I either have to find one of the other devices that is logged into the account – which can be a pain if I am not in their location – or, and this is where the nightmare begins, hit “Forgot password”.

This action then kickstarts a chain reaction of marginal chaos.

Business online safety security spam

Gmail update – Google+ comment

gmail_updateGot an email yesterday from Google about a change to Gmail. Everyone probably got the same mail. Certainly the mainstream media made big news of it, in the tech sections. When you are sending an email from a gmail account you will now be offered Google+ account holders as recipients of the mail.

One site, whose name is oft misspelled, even published a post on how to change your settings to stop people from being able to contact you via Google+. This would appear to me to be a blatant sop to search engine rankings – a big part of the email I got was all about explaining exactly this so the repetition of this info seemed particularly unnecessary. Whoever gets news out first attracts the visitors so it’s dog eat dog out there in the www.

Anyway “starting this week, when you’re composing a new email, Gmail will suggest your Google+ connections as recipients, even if you haven’t exchanged email addresses yet. Your email address isn’t visible to your Google+ connections until you send them an email, and their email addresses are not visible to you until they respond.

I’ve tried but I can’t seem to get it to work. I guess “this week” must mean “next week” or at least from Monday onwards.

If someone from outside your Google+ Circles emails you then the mail gets filtered into the “Social” tab in your inbox. In my case this means it is unlikely to get read because I never look in that tab. I don’t look in the “promotions” tab either unless I’m expecting a particular mail – eg a password reset.

The tone of the online commentary about this “feature” is in the vein of “Google trying to increase/stimulate Google+ usage” and also all about privacy.

In my mind this is a very useful feature. I want people to be able to get hold of me. The principle is no different to your telephone number. Unless you want to be ex-directory anyone can look up your number. Of course there is the concern about spam but Google has a fantastic antic-spam engine and if it turns out to be “legitimate” spam from a business then this gets filtered into the “promotions” tab as previously mentioned. You can also label a sender as being a spammer which I frequently do if the email addresses me as “Hi”.

So all in all I think this is good. Except as I mentioned it doesn’t seem to work for me! That’s all folks.

End User online safety security

Eventbrite security really on the ball – Adobe hack

Had an email from Eventbrite yesterday with the subject “Keeping your account protected”. Fair play to them. Eventbrite have looked at the 3 million user name email addresses recently hacked at Adobe and cross referred them to any in use on the Eventbrite platform.

They have then let the Eventbrite users with these identical email addresses subs. I was one of them.

Most of my passwords are different and far too complicated to remember even. I didn’t even know I had an Adobe account. I checked. I did. I changed the password.

I also checked for any other account with the same email/password combo. There were two. They had not been used for some time (years maybe) but I changed each password.

One of the sites was Kodak. It took me some time to find out how to login on the Kodak website and I found I was locked out of that account!! Had someone tried to login a few times and locked the account? (could have been me – I dunno).

I also got a message saying “NOTE: Your MySupport account is different from your KODAK Store, KODAK Gallery, KODAK Pulse Digital Frame, Tips & Projects Exchange, and Google Cloud Print™ accounts.”

Goodness knows how I’m supposed to figure out/remember which is the right one to log into. Why can’t they have one login for everything?

Anyway well done to Eventbrite – this is great customer service. I looked but saw no email from Adobe letting me know my details had been compromised. Might have been caught in a spam filter I guess.


Engineer peering security

Team Cymru – the correct pronounciation

On a completely different note whilst I was at the Euro-IX conference last week someone gave a talk that included something about Team Cymru. Team Cymru are a top bunch of guys in the cyber security space.

However there is something that urgently needs addressing about the organisation and that is how you pronounce their name. I’ve been hearing Team Kim-roo which is understandable but totally incorrect. I’m sure that the good folk at Team Cymru will not mind me saying that the correct way to pronounce the name is Come-ree. It is the way that the Welsh would say it.

There. I’ve got that one off my chest. Cymru am byth!

Business online safety Regs security

Government Minister responsible for leaking secrets to enemy spies?

I note that old Francis Maude, Cabinet Office minister, has taken his communications services into his own hands and  installed a WiFi connection. The Telegraph article doesn’t go into any great detail as to what the WiFi is connected to. You get the impression he has ordered a separate broadband line to his office.

I was pondering on a comment on this article. Should we the great unwashed have a view on this? On the one hand if he is just using the WiFi to hook up his iPad etc just to catch up with his pals on Facebook and Twitter what’s the harm in that? I’m not sure he uses Twitter mind – I could only find a couple of parody accounts in his name. Maybe he uses an alias. I digress.

On the other hand he could be opening up the whole government communications infrastructure to foreign spies hell bent on infiltration and bad things. FM could be the cause of us having enemy sleepers (is that the correct terminology, it’s been a while since I read Le Carre – curse you #Twitterthiefoftime) deep into Whitehall ready to spring into action when the activation code word is broadcast on the BBC Radio4 Today programme or in a classified ad in The Financial Times (or Telegraph).

It might be argued that all the security that makes Government systems so clunky as described in the Telegraph article is all a waste of time anyway when it seems inevitable that Edward Snowden will one day leak all the secrets. We may well find that most of the info is routine stuff like what is Francis Maude’s favourite sandwich filling. Could of course be of use to an enemy seeking to poison him. Look out for yourself Francis. Take care now.

Whatever happens I’m all in favour of reducing the cost of Government, especially if he is paying for the broadband himself which I doubt but don’t know really. If we the unclean are paying lets hope he got a good deal – 50% off for the first six months or something like that. Maybe even unlimited calls to geographic numbers bundled in.

It’s not a Friday afternoon but I feel a competition coming on here. What keyword will our fiendish enemies use for a wakeup call and where will they publish it? It might be a phrase.

“The snow geese have arrived early this winter” is not an eligible entry – that one is too obvious and would immediately put MI5 on the alert. Or is it MI6?

Entries in the comments section please. Winner gets a terrific Timico megamug which they can collect in person at #trefbash2013. As a supplementary question if you want to guess what is FM’s favourite sandwich filling then I may use that as a tiebreaker in the event of a draw.

Your mother wears army boots.

Engineer security

Is Huawei in your network a national security concern?

I am reminded that yesterday’s post on how would Huawei spy on your network has an additional dimension in the UK in that a significant chunk of BT’s 21CN infrastructure is based on the Chinese vendor’s kit. I hadn’t noticed that this hit the headlines a couple of months ago.

The BT Huawei deal would have been based on very attractive commercials spread over the lifetime of the contract. I’ll leave you to draw your own conclusions on its wisdom from a national security perspective. I don’t have any details to suppose there is a risk other than what I already covered yesterday and then I couldn’t assess the level of risk. That’s somebody’s job.

One wonders whether the powers that be might be might at this very moment be redrawing rules of engagement for secure national networks roll-outs. I can’t imagine that UK defence networks touch any part of 21CN anyway. They will be totally separate. Won’t they?

Access to non defence networks that are strategic could also be a problem. For example how are all our power stations connected? The telecommunications infrastructure itself? Imagine if nobody could make a phone call or send an email for a week? How about the oil refineries? No oil = everywhere grinds to a halt. I’m sure you can come up with other scenarios.

I dunno.

PS takes me a while to catch up with the news, I know.

End User internet security voip

How to tell if a phone call is going to be a scammer

Most people have picked up scam phone call at sometime in their recent short lives. I’ve noticed that they all have similar characteristics in that when you pick up the phone there is always a second or two of silence followed by a foreign voice saying “can I speak to Mr Davies please?” (replace Davies with your own name obv). It’s down to the latency over the internet.

It’s also because they are using some cheapo poor quality VoIP service. Thinking about it, their conversion rate would be much higher if they spent a bit more cash on better quality comms. The quality of their internet access is particularly important although in their case it might not make that much difference as I suspect the packets are traversing the internet for most of their journey. A good quality VoIP provider will hardly touch the internet, if at all.

I’ve adopted the practice, upon hearing the noisy silence before the attempt at a con, of being very familiar “I thought it was you. I wondered when you were going to call”. This tends to confuse them momentarily. All these scammers sound the same to me anyway. It’s probably the bad line but it might always be the same person. Would explain how they always seem to know my name.

That’s how you tell it’s a scammer. It’s all about the noisy silence before they realise you’ve answered the phone.

A public service blog post from

End User internet online safety security

The return of the “virus on your Microsoft PC” scam #speedytechies @TeamViewer

The “you have a virus on your Microsoft PC” scam is back. I thought they had locked up the people responsible and this was dead. Like everything related to the internet crime – spam, botnets they always find a way back.

I got home from work on Friday and took a call from Anna of They apparently have thousands of staff servicing thousands of customers every day despite the fact that the website is only around 3 months old. Pretty impressive business growth.

Either that or Anna is lying and she doesn’t work for speedytechies. She sounded as if she was from India or maybe the Philippines – that general part of the world anyway. is owned by a small business based at a residential address in Houston Texas. You can easily find out lots of info about the business and its owner by shelling out a few dollars to an online resource that does this kind of thing. Not worth it because the chances are the scammer has nothing to do with this guy. Slightly suspicious that the website is only 3 months old though.

Anna wanted me to go to so that she could take over my laptop to check out the virus. looks like a legit site though it would be interesting to audit their list of paying customers to get a trail back to the scammers.

Anna gave me a phone number to call back if I had a problem: 18007137734. The line with Anna was not great so it might be wrong and don’t know where it terminates as I’ve not tried ringing it. Her line quality kept disappearing so she was probably using Skype or some similar OTT service.

I guess it would be possible to trace where Anna was calling from and compile a list of times that her ilk had tried the scam. It isn’t easy though for a punter and it would take a concerted effort from a number of stakeholders. It would be easier if the whole world was VoIP but it isn’t. Also the level of individual harm that will probably accrue from a single incident is not worth the effort it would take. This would have to be coordinated on a wide scale to build up a body of evidence for cross border efforts/cooperation to kick in.

That’s all for now. Ciao.

Engineer internet online safety security

How would Huawei spy on your network?

Last week the talk was about a story about former head of the CIA and the NSA, Michael Hayden, who thinks Huawei are spying on networks that have installed their kit. Link here to the Register story though it appeared in a lot of places.

One has to think about how Huawei might do this without the network operator knowing?

paul sherrattI had a chat about this with one of our networking gurus Paul Sherratt (pic inset – good looking boy) and this is what he had to say:

“They would write traffic tap/backdoor code into pre-shipped FPGA firmware or on an ASIC, hidden from any local intelligence agency code review body.  If for spying/traffic tap function, there would be some safeguards against activating the code if the router believes it is under test/non-production conditions.  There may also be some kind of ‘Hello, I am here’ call-out, which for example may be done by modifying a large DNS request packet contents and padding to the same length to avoid detection by looking at packet headers.

Whether that is even possible will depend on the hardware design – so that should also go through a full review by an intelligence body to determine if pre-shipped chips are an intelligence risk.  If they are, the only way to 100% prevent it happening would be to fully review the ASIC design and manufacture outside of China, which would probably rule out Huawei as a supplier.

It would be easier to implement in software/FPGA firmware, but easier to tackle from a security standpoint.  All software and FPGA firmware would be compiled after intelligence review and installed on network equipment after shipment.  If I were China, I may find it easier to get software engineer spies working for a more ‘trusted’ vendor not imposed with the same level of hardware and software review.”

It’s a tangled web innit? It feels as if we should be looking over our shoulder all the time.

As a footnote I used to work in the chip business. The company I worked for produced military ASICs amongst other things. it was quite common for chip designers to leave little messages or their names etched into the metal layers in empty spaces a chip. I remember once one of the guys leaving the words  “live fast die young” in the corner of a chip. They had to redo the metal mask and re-manufacture the whole chip. It was destined for a high reliability application where the notion of dying young was not too popular! Good times…

End User security

Privacy on London Underground Metropolitan Line #googleglass

hfobd_trust_thumbThe Metropolitan Line on London Underground has nice newish interconnected carriages and you can walk from one end of the train to the other. As we wound our way to Kings Cross for me to catch the train back north I noticed that the carriages were making interesting snake like movements. Very artistic I thought. I’ll video it.

I whipped out my S3 and propping against an upright for some semblance of stability I started recording (action – roll). I do this sort of thing. The first thing that happened was that a girl in the carriage noticed what I was doing and lifted her newspaper up to cover her face. That made me think.

There are obvious privacy issues in doing this although we were in a public place. However if I was wearing Google Glass I would be able to do it without anyone noticing. What is the implication of this? It really means the total end to privacy and anonymity in public places. That girl would not have noticed that I was recording.

I’m not sure there is anything that can be done about it. Maybe some sort of device that blocks other electronic devices from being able to video the space around you. There would have to be a standard for it. Maybe Bluetooth based. Not an easy thing to implement and it would only catch accidental video recording. If someone was hell bent on recording you they would obviously just disable that blocking function. I can imagine videos where lots of people had blurred out faces based on the fact that they have been transmitting blocking signals.

Makes you think dunnit?

Engineer Net security

The Fortigate100D firewall & MPLS networks

Fortigate100DI find it profitable to sit around the development teams. Someone always says “hey Tref come and see this”. On this occasion it was a couple of Fortigate100D firewalls.

Now the cynics amongst you will say so what? A firewall? What’s so interesting about that? I realise that there can be few readers of this blog of that disposition and those that are have probably only stumbled upon it by accident, never to return.

I also realise that it’s not quite the same as saying “hey Tref come and see this Cisco CRS-3 322 Tbps router”. Well we don’t have such a beast at Timico, yet (although it is is surely just a question of time before we need routers of that capacity, Cisco or otherwise). It’s unlikely that the Cisco CRS-3 would have been lying around the lab anyway as it takes up three racks and no doubt a DC hall full of power.

In fact the FortiGate100D is not a particularly high spec firewall at least compared with what you can get. It is however more than adequate for the job it is lined up for which is a network refresh of one of our customer’s MPLS implementations.

It is in the lab being set up and tested prior to roll-out sometime over the next few weeks.  These things don’t want rushing, they want careful planning. That’s probably the single biggest difference between us as an ISP now and when we first started off with just a few hundred ADSL customer and a few Ethernet connections. Planning and project management is a far bigger proportion of the network engineering job now that the straight setting up of the noughts and ones. It’s a discipline that leads to fewer tears later on and I’m all for cutting down on the time spent weeping by engineers.

These particular firewalls are destined for separate London locations on our core network. Once in they won’t see the light of day for a few more years. TTFN.

PS thanks to that fine person Gareth Bryan for this snippet.

Business security voip

How to make your VoIP secure #fraud

VoIP securityIt’s a pretty simple process to set up your own VoIP phone system. Google “free VoIP server” and you will find links to 3CX or Asterisk. Download their free software and install it on a computer in your office. Sign up for a few SIP trunks from an Internet Telephony Service Provider (eg Timico) and you can be up and running making VoIP phone calls from your Local Area Network in an afternoon. You don’t even need to buy phones. You can download free soft phones that will run on a PC or a smart phone that will work perfectly well over WiFi. The cost is minimal. It’s as simple as that.

Except it isn’t. Now google “VoIP fraud” and

Engineer online safety security

How to achieve a PCI Compliant network

Trefor DaviesA lot of effort goes into achieving PCI compliance for a network. Without going into huge detail I thought some of you would like to know the type of work we had to do to get the badge.

Implementation of secure LDAP cluster

This consists of a master server and three read-only slaves, the master server is locked down heavily and the read-only slaves are used for applications to authenticate against. All communication is authenticated and encrypted. All of our new systems have been moved over to authenticate against this LDAP cluster.

TACACS+ / RADIUS (2-Factor) authentication front ends

TACACS+ is an authentication protocol used by all our network equipment and passes authentication through to the LDAP cluster. This system was rebuilt to use encrypted communication, a well structured user/group system, and various security features.

RADIUS (2-Factor) was implemented to pass one factor of the authentication back to the LDAP cluster and the second factor back to a Yubi Key server so that Yubi Keys can be used.

Secure VPN, was implemented using

Business Regs security surveillance & privacy

The Report of the Joint Select Committee on the Draft Communications Data Bill

Report on Draft Communications data BillThe Report of the Joint Select Committee on the Draft communications Data Bill was issued this morning at one minute past midnight. It’s been in the news this morning with the deputy Prime Minister Nick Clegg calling on ministers to rip up their plans and go to “back to the drawing board“.

The 105 page Report concludes that “there is a case for legislation which will provide the law enforcement authorities with some further access to communications data, but that the current draft Bill is too sweeping, and goes further than it need or should.”

I have always said that the right balance between our personal security and our personal privacy needs to be maintained when considering this subject area and this is the tenet of the Joint Select Committee’s recommendations.

Unfortunately some of the basic conclusions of the report do not put the Home Office in a good light. There would appear to be a widespread failure to consult with many of the stakeholders involved, notably on the costs of the project and what might reasonably be achievable in terms of Communications Data capture and storage. In particular it is recommended that the HO will have to carry out a careful cost/benefit analysis and obtain advice and assurances from a wider body of experts than the companies that stand to earn money from devising secure storage solutions.

The committee recommends that the scope of the Bill be significantly reduced to cover only the retention of IP address data and “web logs” although regarding the latter they also “acknowledge that storing web log data, however securely, carries the possible risk that it may be hacked into or may fall accidentally into the wrong hands, and that, if this were to happen, potentially damaging inferences about people’s interests or activities could be drawn. Parliament will have to decide where the balance between these opposing considerations should be struck.

There is also a concern that web log data also contains content, which due to privacy concerns was specifically excluded from the Draft Bill. The committee has asked the Home Office to review whether it is operationally and technically feasible to only retain web logs of certain types of service where those services enable communications between individuals.

Regarding the storage of third party data traversing a CSP’s network it is recommended that the requirement to store such data only after attempts to retrieve the data from the third party be given statutory force. The effectiveness of this considering the overall objective must be questionable historical data is unlikely to be available in a timely manner for specific crime stopping targets.

The recommendations continue with the suggestion that the Home secretary should not have the power to extend the scope of “permitted purposes” of the bill and that indeed this list of purposes should be examined with a view to shortening it.

It is also recommended that the definitions for communications data under RIPA should be reviewed following consultation with industry with a particular focus on what is subscriber data (ie info on me and you) and what is traffic data.

A specialised SPoC (Single Point of Contact) team should be established that provides a central expertise for the approval of RIPA requests. This in theory should prevent misuse of the system – although Local Authorities are not specifically mentioned amongst the authorities that should be able to access the data under discussion here the committee recommends that bodies over and above the six in the Draft Bill should be considered for inclusion based on their case – notably the Financial Services Authority  and the UK Border Agency. Local Authorities, although representing a fairly small proportion of the nearly half a million RIPA requests each year and 20 times more likely to put in a non-compliant request.

Coming back to costs the committee is being polite when it says “that the Home Office’s cost estimates are not robust. They were prepared without consultation with the telecommunications industry on which they largely depend, and they project forward 10 years to a time where the communications landscape may be very different. Given successive governments’ poor records of bringing IT projects in on budget, and the general lack of detail about how the powers under the Bill will be used, there is a reasonable fear that this legislation will cost considerably more than the current estimates.”

It was nice to get a mention myself in para 276 regarding the effect on small CSPs of having to meet the requirements of this Bill.

The commitment to reimburse CPs the necessary cost of complying with the requirements of legislation should also be written into law and not left in any doubt.

Finally  “the figure for estimated benefits is even less reliable than that for costs, and the estimated net benefit figure is fanciful and misleading. It ought not to be used to influence Parliament in deciding on the relative advantages and disadvantages of this legislation. Whatever the benefits of the Bill, they are unlikely to be financial.”

The cost aspects of the recommendations are pretty damning. It would be nice to think that as much effort is put into all legislation as this committee has put into the Draft Communications Data Bill. I’m thinking specifically of the Digital Economy Act but I’m sure there must be others.

I’m not totally comfortable that any safeguards built into the Bill will really work, especially when it is noted that nobody can 100% guarantee the security of the storage of the data. At least on this occasion  the Government is being sent away and told to get their homework right and the subject of security versus proportionality is highlighted as being central to the debate.

That’s all for now. You can read the whole report here. I’m sure I will have missed something. You can also read my other stuff on this subject – use the search box at the top right hand corner of this page. There is a lot of material.

End User scams security

Great phishing season

All you anglers out there will appreciate this little phishing effort from “Lloyds Bank”. I picked it up from our spam filter – pleasing to see that it works. I do wonder what percentage of recipients of this kind of email actually fall for it.

This one isn’t a bad attempt though as is the nature of these things they have speled departament wrong & the use of grammar isn’t quite how I like it. Should have worked harder for their English GCSE. They might have got a proper job instead of having to resort to crime. The italics are mine.

The inset photo is of me with a phishing rod on the pier at Whitby, Summer 2008 (fwiw – it’s the nearest I could find that had anything to do with the subject).

Dear Customer,

This is an important Lloyds TSB Bank Security Message. We reviewed your account and we suspect that it may have been compromised. Assuring the security of your account and of Lloyds TSB Bank’s Network is our primary concern. Therefore, as a preventive measure, we have temporarily limited your account. Please take the following steps in order to restore your account access and ensure that your account has not been compromised:

1. Please Download the Login Form attached to your e-mail.

2. Login to your Lloyds TSB Bank account and fill in all required information.

3. We will review your activity to confirm that you are the account holder and we will remove any restrictions placed on your online banking account.

If you choose to ignore our request you leave us no choice but to suspend your online account indefinitely.

IMPORTANT NOTICE: You are strictly advised to match your information rightly to avoid service suspension.

Kind regards,
Lloyds TSB Bank Online Security Departament.

Please send us any scam/phishing emails you have received. Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your Lloyds TSB Online Bank account and choose the “Help” link on any page.

Copyright Lloyds TSB Bank Plc. 2012 – All rights reserved. Email ID # 705

End User security spam

Automated spam calls to mobile – what to do

unwanted automated phone callsThe scam business continues. Just got what I think was another PPI mis-selling call via automated call to my mobile. The originating number was 07588034908. I was expecting a call and was just trying to figure out if this was it at the same time as answering the phone so I missed the first half sentence. I just caught the words “to claim your compensation press 5” so I hit the cancel button.

This is the first time I have had an automated phone call. I stayed with some friends in the USA once and they never used to take a call at home until the person had started to leave a voice mail so they knew who it was. They got so many automated calls it had become a real nuisance.

It started to get like that here to the point that the ICO has begun to address the problem. It may be that the ICO makes headway but I’d like to bet not. The law is complex with many areas where it is not easy to prove guilt. It is also difficult to know whether you have given permission for your number to be called by accidentally not unchecking a box at some stage of an online registration process. The Telephone Preference Service (TPS) certainly doesn’t seem to be effective.

There is more info on this subject on the ICO website here. It covers unwanted marketing calls, texts and faxes and tells you what is and isn’t allowed and what you should do if you get these unwanted communications.

I just registered the above phone number as the source though often these are pre-pay sims where the operator doesn’t know who the owner is. I rang it back but it is obviously just a machine making outbound calls. If we all register incidents as they happen we may at least make some progress.

The PPI mis-selling compensation industry may not be outside the law but the methods used to drum up leads must surely be pretty borderline.

End User security

Payment Protection Insurance – are you eligible for £7,500 compensation?

Just had a phone call from an Indian sounding gent called Harry Connor. Actually he wasn’t totally sure what his name was because when I asked him again at the end of the call he said it was Sean Connor (not sure how he spells Sean – could be Shaun or Shawn – sorry). Perhaps he flips between both names without thinking – kind of split personality.

He was calling me about my Payment Protection Insurance and said I was eligible for £7,500 compensation.  It was all above board because he said the Ministry of Justice was behind it.

I like to make sure I’m dealing with reputable folk when being asked about financial stuff so I asked for the name of his company ( and their phone number (020 881 907 01). He said they were headquartered in London but had an office in Manchester.

Unfortunately I must have mistyped both the name of the company and the phone number and now not only can I not ring him back but I can’t even track down his website.

Ah well – another opportunity to make a fast buck lost. Never mind. I dare say he or one of his colleagues will call back. They have already called about 6 times.

I realise that the Telephone Preference Service doesn’t work overseas but someone needs to come up with a solution for this problem.

Listen to the phone call by clicking on the image of the phone below:

Image in the video is courtesy of Wikipedia

Business Regs security

Now where did I leave that important information? #commsdatabill

You will of course recall my recent post on Big Data in which I related how many laptops are left in the back of taxis. 10,857.14 of them every year to be precise. Well I was wrong. Not only did I underestimate how many cabs there are in London but the average number of laptops left in them every year was wrong.

Today I was picked up by a driver who estimated he had found 8 laptops over the last 5 years (up from the previous 4 in 7) and that there were around 25,000 black cabs in London (up from 16,000).

This bumps up the averages. To  make it easy on myself if I assume only one a year that suggests that 25,000 laptops are left in London black cabs every year.

Now I know someone will pipe up and say that this is not very scientific and

End User Regs security

your password here? oh dear! #LinkedIn

I note from the Daily Telegraph that LinkedIn has had 6.5 million passwords stolen and published on a Russian website. When did you last sort out your passwords> Have you got a password policy? Worth getting one I’d say.

This is a perfect example of why we shouldn’t let the government collect data about us. It is going to be lost or stolen or accidentally published. It’s a racing certainty. More here.