It is a fairly rare occasion when one gets to meet one’s childhood (or to be more accurate, teen) hero. For me, growing up as a teenage computer geek in Israel, during the late 80’s, early 90’s, the electronic world was a bold new frontier of opportunities and challenges. I distinctively remember the original myths that were spread around the teenage geeks – there is a box, called a “blue-box”, it’s a box of wonders – enabling you to bypass the local PTT systems and call abroad for FREE. It was the early 90’s, long distance phone calls were expensive, beyond expensive – they were outrageous. Calling abroad was even worse, it could easily amount to $2-$3 per minute, doing it the normal way. The “blue-box” for us was a myth, a box of wonders that no one never get around to actually seeing one.

Then, late 1989 something happened, a friend of mine returned from the US with, what I could only call a magazine – back then it was called a zine. I can’t call it a magazine, as it was a group of dot-matrix printed pages, stapled together. My friend said: “This is a hacker’s magazine, but I can’t understand the blue-box thing”. My eyes lit, could it be, did the pages truly include description of what the blue-box was? I looked at it and replied: “Of course you don’t understand this, you are a computer science major – not electronics”. I studies electronics and the blue box made sense to me. The pages included the entire circuit diagram – I was fascinated. I built the my first “blue-box” using those diagrams, it was crude, it wasn’t pretty, but it worked – well, it worked for exactly 15 minutes, then the power regulator I used kind’a fried. That was my beginning in the world of Hacking and Computer security.

Following to reading about/building my first “blue-box”, I continued to consume information. I used the box, each time for short intervals and each time getting to download more information. I remember being connected to the Channel One BBS in the US, downloading the hacker’s chronicle and reading through like mad. I learned about the works of a man nick named: “Captain Crunch”. His work in investigating the various properties of the telephone network amazed me – at that age, for me, he was a modern day Robin Hod. Fighting the system, from within the system – showing how frail it is, and abusing it to the max. I must say something here, unlike the USA at those time, we didn’t have anti-hacker laws in Israel, thus, computer crime was so rare, they didn’t even know what to do with hackers – if they ever managed to catch them.

Fast forward 25 years, I’ll be 40 next month. Over the years I’ve learned that Captain Crunch is the alias of John Draper. I’ve met John first time in 2000, in a hackers’ convention in Israel called Y2Hack. I didn’t get to chat with him much back then, it was a busy event. This years’ Astricon was in Las Vegas, where John currently lives. After learning about John’s medical condition, I’ve decided I would like to pay the man a visit. Normally, you don’t get around to meeting people who had influenced your life in such a deep manner, but here I had a chance. So, Eric and I contacted John – who was more than happy to join us for dinner.

It is clear that John is not at his best, in severe pain from his latest surgery – and most surely medicated for his pain. However, sitting down with him for dinner, one thing is very much clear – when it comes to technology, John is as sharp as ever. The conversation rapidly moved from talking about history, to talking about modern day cellular technologies, how roaming works, phantom base stations, HTML5, WebRTC and more. At times, it would seem that the conversation would float away, but John rapidly closes in on the subject – and being in his physical condition, that isn’t simple (I guess).

John, very much like other visionaries that hadn’t been completely acknowledged by society – sorry to say, is far from what we would imagine him to be at this age. Normally, we imagine that people like John would be living a good life, after all, the computer age was very much built on much of his work and findings. But, the truth is that John’s friends started a qikfunder campaign to fund hi medical bills. Amazingly enough, John isn’t a rich man at all. For someone who was acclaimed as “If it hadn’t been for the blue box, there would have been no apple” (Steve Jobs, 1994) – it is somewhat discomforting to see him like this.

I truly wish John all the best and wish him a speedy recovery – as his mind is as sharp as ever, and I truly hope to see him back at the tech-helm as soon as he can.

After seeing well too many movies about the US and after visiting the US for a few times, many people tend to disrespect the FBI in the USA. While I have much respect for most law enforcement agencies, wherever these are located in the world, I must admit, that the latest warning from the FBI regarding Asterisk borderlines pure hystria and complete misunderstanding of the actual issue.

On Dec 8th, the FBI had issued the following warning:

New Technique Utilizing Private Branch Exchange (PBX) Systems To Conduct Vishing Attacks

The FBI has received information concerning a new technique used to conduct vishingi attacks. The recent attacks were conducted by hackers exploiting a security vulnerability in Asterisk software. Asterisk is free and widely used software developed to integrate PBXii systems with Voice over Internet Protocol (VoIP), digital Internet voice calling services; however, early versions of the Asterisk software are known to have a vulnerability. The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour.

http://www.ic3.gov/media/2008/081205-2.aspx

Now, after a full weekend of frenzy trying to understand the cryptic warning the IC3 had issues, it was gathered that it is referring to an old time bug, related to Asterisk distributions prior to 1.4.18. Being familiar with the particular bug and the exploitation method – I can say this: They surely have no idea what they are talking about!

The exploitation of the bug requires several pre-requirements:

  • A certain IAX2 configuration has to be deployed
  • A certain version of Asterisk must be used
  • A certain form of dialplan has to be existing
  • You Asterisk server needs to be available on the Internet

Now, even when these 4 are met, the exploitation isn’t all that simple and that straight forward. So, in other words, if you are not utilizing any of the above, you can rest assured that your system is fine. In any case, any system is as secured as the dumbest user (in our case developer/sysamdin) who uses it.