Archive for January, 2011

BoA SafePass Folly

Monday, January 31st, 2011

So BankOfAmerica got on the bandwagon of using cellphones to authenticate via text message a few years ago (did I mention that I came up with the idea for this long before it was commercially available, but I was beat to the patent? true story there – even had a meeting with an investor to discuss the idea at the time). You go to some silly webpage, click on a button, and they text a code to a cellular phone that must be entered in the vain of “something you have, something you know” (your phone, login), etc. Sadly, the BoA implementation is full of all kinds of wonderful FAIL. Let me explain. Because venting helps.

To save money (or whatever), BoA grab your carrier information and replace the phone number with a text gateway email gateway of the carrier in question – sign up using an AT&T phone and they will sent to (which is broken anyway as it only uses 10 digits, not the full globally unique number, with country code), and keep sending to AT&T no matter how long you have that number, or whether you move carrier. So, you might think that moving to T-Mobile will get you away from AT&T, but not as far as BoA’s systems are concerned. Now, some folks at BoA did ponder this problem (however briefly), and setup some automated process based around you texting “HELP” to 73981, which allegedly also causes it to wake up and smell the coffee (technical term). The problem is, as many attest online, this is error prone and often does nothing.

So I call BoA online “technical support”, and say nice things to the first person I speak to just to get rid of them, in order to speak to whatever “manager”, “supervisor” or other entity can actually help with the problem. I know what the problem is. And of course, I’m told “can you send a text to…” – at which point I explain that I know the number, the trick, and have done this 4 times over the past 3 days before even bothering to call, that I have no confidence in that working, and that I want a technical support ticket opened with higher ups. Eventually I get this. Guess what the ticket wants? Yup. The “SIM” email gateway for my new number. In other words, they want me to tell them how to send a text to my phone via my new carrier email gateway and:

  • Can’t figure this out for themselves (the reset exposed publicly doesn’t work)
  • Won’t provide a convenient means to do this online (enter gateway or whatever)

They also asked me several times for the make and model of my phone. As if that’s going to make a difference. Apparently, it can do for the iPhone (no idea why), but I have a sane phone, a Google Nexus S. And I can guarantee it’s nothing to do with the phone. I could have my T-Mobile SIM in the cheapest, nastiest, crappiest phone around, and it would be exactly the same problem.

Overall, I’m not very confident in the Safepass system. But, hopefully, at some point today, I can finally make a transfer between one account and another without having to engage in more folly.


PSTN call routing

Monday, January 31st, 2011

UPDATE: The bit I was missing was NPAC. All answered now.

So tonight, we ported over Katherine’s phone number from one provider to another. This got me thinking about number porting in general, and specifically the call routing implementation employed within the NANPA (North American Numbering Plan Administration) – the people responsible for assigning and managing USian/Canadian/other (now) non-Mexico NA numbers similar to the ARIN for the Internet – between carriers. I need to know.

In the case of the Internet, ARIN assigns top level netblocks, ASes, and other routable entities, and then various top-level network routers and ISP equipment broadcast routes for their 16-and-32-bit ASes. The global routing table is large but can still (mostly) fit in memory on big beefy routers because not everybody has their own AS (network). Instead, most people have a number assigned within a providers non-portable netblocks. When it comes to tele carriers, this isn’t true under modern NANPA. You can freely move your local phone number between carriers as you wish. The fact that you have a “617″ (Boston/Cambridge/etc.) or “415″ (best coast regional) number really means very little in practice as you might have moved a million times, and changed carrier too. Therefore, your number is neither really regional, nor a non-portable carrier assigned number.

Reasoning tells me that carriers can’t just announce routes for particular “blocks” of phone numbers any more because these are rapidly fragmented and hop between carriers. Nor does it seem to be practical to advertise announcements for each number individually. And yet, that seems to be the only way to truly do this right. One possibility is that such a level of route announcement is done, but at the local exchange level (the 759 in 617-759-XXXX) and even if I move regionally, there will still be an entry sitting in that exchange like in the good old days. But is it still like that? How does the routing between large telecommunications companies work in reality? I need to know. Preferably, I “need” an extremely large book that details this and the protocols involved in a ridiculous level of detail. Thanks!


NOTE: This falls under Obsessive Compulsive Need To Know. The kind of reasoning that has me signed up to real-time alerts from my regional ISO whenever power generation within MA falls below certain levels. No normal person would care about this level of detail in their life, and I know this ;)

Telepacific abuse

Friday, January 28th, 2011

So a couple of days ago, someone from Telepacific host:

Managed to illegally obtain SIP credentials for a VoIP account I have with one of my (awesome) phone providers. Using those credentials (directly, not by compromising my Asterisk server), they illegally registered as me using a soft phone client and began making international phone calls to exotic destinations. I’m grateful that various processes worked and they were cut-off after only spending $20, which is enough to be annoying, but at least not hundreds or thousands of dollars. So, then comes the aggressive action against the abusing moron.

We traced this IP, and the illegal registration(s), and phone calls. The address is owned by “Telepacific”, who seem to have changed their name or acquired “” at some point. The whois record for the address in question contains these choice tidbits:

OrgAbuseHandle: MIAA-ARIN
OrgAbuseName:   Mpower IP Abuse Administrator
OrgAbusePhone:  +1-877-642-4375

That email contact is out of date to begin with, but worse, the phone number listed is itself a SCAM service. When you call that number, you are invited to press * to sign up to some ongoing text message commitment. An abuse number is itself an “abuse number”! This is disgusting, wrong, and highly infuriating. I called ARIN, and a bunch of other organizations to have action taken against Telepacific over this, and I finally got through to Telepacific only to be fobbed off with some kind of email contact. I’m not optimistic that they’ll fix this, hence this handy blog posting.


On Linux Platforms

Sunday, January 23rd, 2011

One of the major differences between Linux distributions, and other Operating Systems (both Free and non-Free) is that Linux often tries to give you everything from one source. Want a piece of third party software? You’re expected to get it (and its dependencies) into the distribution, and install that version(s). Other Operating Systems provide a base platform upon which third party tools, libraries, and applications can be installed into a separate location. This is close to the original intention of /opt, but it’s actually used rather than shunned is if it were some kind of bad idea to want to do this, and it allows one version of the basic OS to live for a number of years independently of any or all of the applications installed.

Unlike many distro folks and Linux enthusiasts, I actually prefer the idea of providing a basic, stable, unchanging platform upon which self-contained applications can be installed. Kinda like “Enterprise” Linux, but different – Enterprise Linux distributions basically snapshot a particular set of distro software and treat that like a “platform”, while their upstream sources don’t. In my perfect utopia, there’s a huge, bright line between basic OS components and everything else. I want a stable OS, but I might want to install a more recent web browser, or some engineering design tool that is more recent from my OS, and I want to be able to do that trivially and independently of the OS. I don’t want it installed in /usr/bin. I want my OS-supplied core junk to go in there, but I want my applications to live separately. Some experimental distros have even tried this stroke of sanity by cloning the OS X /Applications type of behavior, but only experimentally.

In my perfect world, I would get “Fedora” from the Fedora Project, I would install it, and I would get a basic environment including a desktop. It might even include a web browser, but it would not include all of the other stuff. Instead, this would be installed into completely separate directory structures, and be fully self-contained, away from the basic OS environment. It might be that some of it would come with the distro, and it might even be that some of it were packaged and distributed using distro tools, but it would be trivial to upgrade any software independently of the base OS platform because it would still be stored separately from core system components. Try installing a different version of Firefox, or some other system-supplied app on your favorite Linux distribution without having to place it into a separate directory, avoid using actual packaging, or butcher the distro config.

One day, what I want is going to happen. There will be a realization in the wider Linux community that consumers want a basic platform and that they want to be able to treat other pieces of non-core junk independently of that. But this realization (in the Linux space) is still several years away, and it comes after more people realize the benefit of having a computer that just works without the need for hacking or updating or messing around with OS pieces to get there.


On buying components

Saturday, January 22nd, 2011

So, this is a plea for help. Back in the day, in the UK, it used to be possible to physically go to Maplin Electronics stores (now but a mere husk of its former self, barely worth the time of day) and get random components. They had huge stashes, and you could easily go buy an inexpensive pack of assorted resistors, a bunch of diodes, transistors, whatever. Building a home hacking kit was pretty easy. Then the Internet slowly killed them and hurt weekend hackers everywhere.

When I moved to the US, I brought a large quantity of passive, semi, and other components with me, and since I’ve not been doing much electronic hackery those have lasted a number of years now. But I’m in need of replenishing, and particularly in need of just a bunch of inexpensive bags of assorted components – nothing in particular, just a range of values to sit in my component boxes. I looked at DigiKey (whose website is always atrociously bad), Mouser, Newark, and all the rest (none of whom seem to know how to do good site design), but as usual the best option for the weekend hacker is to go with Sparkfun or Adafruit, and neither really does the “assorted parts” kit thing. Great if you want funky devices though.

I’m at a loss. Radioshack stores suck ass compared with even a few years ago, nobody else does decent retail components, and I’m not interested in navigating one-at-a-time expensive ordering with Digi. So where the heck am I supposed to go? I’m sure this is one of these things where I’m supposed to give up and watch MTV or enjoy Football (or another total waste of time), but I’d prefer not to. I’m more down with random intellectual pursuits instead. Recommendations for actually useful places to get what I want are quite welcome.


Fun with Arduino

Saturday, January 22nd, 2011

So I decided to finally poke a little at my Arduino Mega 2560 last night, mostly as a random thing to do on the couch while watching Netflix. I wrote some simple programs to poke at IO ports – nothing that exciting. But I do now see the value of Arduino as a platform, especially if you just want to do something fun and not have to build an entire universe to get there. It’s not a full Linux environment, but that can be a good thing.

With Arduino, you don’t need to worry about lots of the usual microcontroller stuff since the AVR chip comes with a bootloader that interprets the “Sketch” you have compiled from Wiring (C-like) source code. You also don’t need to worry about flashing and driving serial lines because the board has one of those standard FTDI USB parts that provides both the serial programming interface and easily usable serial output, too. In other words, it’s a simple design, but also complex enough to be useful, and easy to use if you just want to make a simple gadget. At the same time, there’s a huge amount of potential there too.

As it was late, I ordered some parts on Sparkfun to replace a few in my trusty component box. I used to enjoy going to Maplin back in the day, but like Radioshack, their component selection shrank and I never really found a good place to buy small numbers of parts. Sparkfun isn’t perfect, but like Adafruit, it does seem to be one of the better places for hobbyist purchases these days. I picked up one of their FTDI based generic USB interfaces, some solid state relays, and a bunch of other bits for playing with Arduino some more as time permits. Maybe I’ll build a remote control power switch or whatever.


Another car incident

Friday, January 21st, 2011

So, sometime over the last 36 hours, someone saw fit to drive into my car and injure her in exactly the same spot she had been hit last time, way back in…last month. It seems that it happened in the private lot at the rear of my apartment, which only a certain number of people use, in addition to various snow removal contractor equipment. The damage doesn’t seem as severe, but of course, there’s no note or phone call, or “oh, sorry dude, did I just cause that giant gash in your car?”. Maybe they were too busy on their cellphone at the time to apply some level of concentration to the task of driving a heavy vehicle.

I first noticed this when driving Katherine somewhere and my car was making a crunching sound (from the wheel impacting the panel at the rear) as we hit rough parts of the road. I thought it was snow stuck in the wheel well, but sadly found after stopping that someone had swiped the panel above the wheel with some kind of heavy machinery. After some prodding, a contractor seems very willing to accept liability, in the kind of way that comes with a realization that you’re responsible for something you should have owned up to properly before. But we’ll see. Maybe they’ll cover the loss, or maybe my insurance will ding me again for another $500 deductible. Because I just love paying those. Oh yes.

Unlike too many other MA drivers, I enjoy taking care of my car, and following the rules of the road (Chapter 90, M.G.L,, and others) to the absolute letter of the law. I signal, observe proper breaking distances, check my rear view mirror every time I adjust my speed or location, and I constantly assess every other driver for risk assessment of stupidity. Yet, with all of the care and attention, I am no match for the stupidity and incompetence that I see on the roads all around me every single day. People don’t signal, they don’t look, they text and drive, they eat and drive, they text, eat, and drive while on their cell phone. They don’t think “gee, I’m driving a 2 ton killing machine that has actual safety consequences”. It’s just disgusting, and it’s no wonder some people give up owning cars or go off driving them. It’s like there’s a reward for the lowest possible driving standard, and it doesn’t matter if you whack into someone in a parking lot either, because it’s assumed everyone likes dings and dents (those being so common people have given up realizing they are neither inevitable nor necessary consequences of car ownership).

Photo: Proposed MX-5 Carputer design

I’m not taking this problem lying down. I’m going to write to the governor, requesting that some actual sanity be restored in this state’s driving regulation, and enforcement thereof, and I’ve a particularly nasty patent idea for an automated means to deal with bad MA drivers (I’m filing that one privately). Meanwhile, I’m going to install a (temporary) wireless night vision camera to monitor my car while I wait for time to build out a complete solution. That will involve installing front and rear “back up” cameras on the license plates, and other cameras, attached to a BeagleBoard installed in the car with a 3G radio. I need live, streaming video of everything that happens, from every angle, complete with location data. I want it so well done that the next person who hits me and fails to do the decent thing will regret it in court. Because if people don’t understand how to drive, they hopefully do understand being sued. That seems to work a lot better in the US sometimes, and if threat of legal action is the only way to get through to some people, then so be it. So, so done with crappy drivers.