You forgot nokia, symbian and all the other SMS stacks out there.

http://www.blackhat.com/presentations/bh-europe-09/Gassira_Piccirillo/BlackHat-Europe-2009-Gassira-Piccirillo-Hijacking-Mobile-Data-Connections-whitepaper.pdf The weakest link is always exploited first. Trust nothing.

I saw this one coming. Some cell phones cannot distinguish between a moble provider sending binary encoded XML enabled SMS messages or an attacker through an SMS gateway. Amateur security model/practices.

I do not consider wire transfer services such as SWIFT a P2P technology. I wouldn't call a network of Morse code operators using telegraph lines P2P either. Getting into a semantic discussion won't solve anything though. If one were to distinguish PUBLIC P2P v. PRIVATE P2P I would say neither are secure. An internal P2P network could be easily exploited by a rouge insider. Simply stated, the government and military contractors should proactively block all P2P traffic or risk heavy fines and potential termination of employment or funding.

I forgot about that!!! There is no firewall with enough throughput to shut him up.

The data must be unencrypted to access the information. Mission critical data is useless if its always encrypted.

Banning or simply ensuring employees that they will be terminated in the event you use P2P software is a good idea. Financial Institutions already enforce strict policies regarding P2P software. Notice we haven't heard of a bank getting P2P'd lately?

This is probably worded in way that you can understand.

"In fact, it would take little more than a cable modem to deny service to large metropolitan areas in the U.S. For example, a city the size of Washington, D.C., could be taken out by a DoS attack with a bandwidth of about 2.8 megabits per second, they said."

http://www.pcworld.com/article/122878/sms_attack_could_harm_cell_phones.html


And.. You should read the section titled "Seperation of Voice and Data" (as well the whole document) from the researchers at Penn.

"Even if a provider rationalized the expense, the elevated provisioning merely makes DoS attacks more difficult but not im-possible"

http://www.smsanalysis.org/smsanalysis.pdf

This research paper is 4 years old! How long has it been since you left your parents basement?

Bullcrap yourself friendo.

It doesn't have to be that complicated. A single person with a cable connection can knock out a small area code. First, make a list of all valid cell phone numbers. Second, determine each phone numbers specific provider. Third, determine the email address for all valid numbers. Finally, email bomb all the numbers in a random order with a multi-threaded tool. SMS Carpet Bombing persay.

Rule #1, an increase in attack surface area will increase the likelihood of an attacker targeting said technology. If the software is, as YayaY stated, so fragile and providers don't shape up then we're all f'd big time.

Consideration #1, Wireshark has supported GSM stacks for a few years. Nokia has had unlocked phones for some time. gnuRadio allows for cellular communications development. Considering an unlocked iPhone isn't the only means to access cellular signaling information this probably would have happened already.

My vote, its a ploy to keep iPhone users locked in.

Thermal, Near X-Ray, Radiological, RF Detection, Camera Detection/Jamming and the list goes on. The only reason to use glasses would be to conceal yourself in public. Got $20,000 to make one?

I'll believe it when I try it... Have seen similar promises before...

>In the flash animation above the video (on the passwindow site), there are clearly more than 5 digits. I can see 16 places a digit can be (counting the _ sections of the digit, the uprights overlap). Good observation! >If I was able to have multiple attempts, I can break any password Say you were given 10 changes to guess a password, could you guess it? My point is that you could potentially enumerate any valid passwindow key with very little guesses. PassWindow key enumeration?

Never trust users!! Issuing tried and true SSL VPN tokens would be a strong solution. Would have an increased capital cost per user though...

Not rude at all to ask and is actually quite a reasonable question to pose. That is your assumption to say and only you can conclude for yourself. Ask yourself this. If your presumption were true then how does it disprove my comments in retrospect? I do believe the concept to be novel. It just needs some help from people whom test application security as a profession... A quick and simple solution would be to use out of bounds transmission of the challenge string (ex. SMS or EMail). An attacker cannot access the challenge string and cannot enumerate possible codes. Fixed!