Friday, September 8, 2017

Credit Freezes and You

How to Freeze and Unfreeze your Credit

To be clear this does change things that you don’t expect, and is not for those who don’t like to put in a little work in order to maintain a much higher level of security with their financial records.


First, why on earth would you do this?  Freezing credit sounds ominous, but it is really the only way YOU can maintain control of your bureau records.  There are many credit notification” services, but they are only detective and can only tell you when someone else is ALREADY trying to use your credit. 

Famously the CEO of Lifeline had his Identity stolen over a dozen times.  This is easily understood since credit monitoring is not meant to prevent activity, only to inform when it happens.  Freezing does the opposite, it essentially acts as a whitelist for interacting with your records at credit bureaus that you control directly and in-so-doing prevents any attempts from even alerting (if you did happen to have a monitoring service.)

Depending on your state you will have different laws as to what freeze capabilities the credit bureaus must provide legally.  But they all tend to implement it the same way (Transunion being the exception.)  There’s a form you can fill out, put in personal information including your Address” your name, your SSN and your DOB.

Note about Addresses: When it comes to your address this will get a little tricky in the future, but for the sake of this document we’ll assume your residences are all in sync with each of the bureaus from the start.  This will matter, because after you freeze your credit no creditor can update your address until you either release and do it yourself, or release and ask that the creditor update your address.

In the case where you can get some (less than all) of the agencies to verify your identity it's likely due to some of the data not matching.  If you were able to access one of your agency profiles, you can use that agency to perform a multi-bureau credit check.  When you do this, you will then have enough information to authorize freezes for the remaining bureaus. 

Each Bureau has a slightly different take on these from a marketing perspective, and until recently didn’t really provide anything beyond the bare minimum capacity for freezing/unfreezing your credit. They’re getting a little better, but it is still seems to be whatever the minimum is required by law.

The Credit Bureaus

There are four credit bureaus in the united states: Experian, Equifax, Transunion and most recently Innovis.  They each hold what they consider an authoritative copy of your credit history, open accounts, and any individual report on those accounts.  They support the creditors by providing paid access to your credit history (through Soft and Hard hits: see Credit Karma’s explanation here.)

A freeze is actually the only hard action you can perform yourself to create a hard barrier for your credit bureau data from questionable creditors, and fraudsters.   Each bureau has their own form for this, Transunion seems to be the best about trying to provide a useable customer experience (to upsell their monitoring services.)

If you have any open accounts that are being tracked by a bureau, those creditors are the only ones who can perform any action (update) to your account, but only on the existing accounts the creditor had on file at the time of the freeze.  So this isn’t a cure-all, or meant to be a way to protect yourself against real dings against your credit, only those you didn’t authorize.

Ok I’ve frozen it, now what?

Woah! Hang on there, before you begin make sure you’ve taken down the address at the time you put in the freeze and put it somewhere you can find it later.  Once you’ve frozen your credit, nobody can update the address shown as your residence. It’s a good idea to keep a copy so you can reference it when you need to release your credit freeze, they will ask for it again.

Also, it should be a real address (some of the bureaus will only mail a PIN to unlock, and make it rather challenging to unlock if you didn’t receive that letter.)

Caveat: make sure you don’t need to perform any credit related actions for the next two weeks (getting a loan, buying new insurance policies, renting a new place, buying/renting a car, getting new utility service, getting a new cell phone plan) because you’ll be waiting for the PINs in order to unlock your credit the first time.

Once you receive the pins, you should put them somewhere safe and accessible for when you need to allow others to access your data.  Using a password manager is a great way to store all of this information (Freeze Address and Freeze Pin.)  

I’ve gotta unfreeze it, like right away!!

Not a problem!  You can do this the same way you enabled the freeze, only you don’t need to wait for any letter.  It can take less than 10 minutes to unfreeze all four bureaus if you’ve prepared your information as recommended before.

Note: Make sure to ask the creditor (agent querying your credit) which agency they use, if they know which it can save you time and 20-30 dollars depending on your state.  If they only use one, you can simply unfreeze that bureau and leave the others alone.

When you want to unfreeze your credit, depending on the state listed in your Freeze Address, you will either have to pay a small fee (I believe the maximum is 20 dollars) or it may be free.   Once you’ve input the data the bureau needs to authenticate you (address, ssn, dob) you can now select the mode of the lift.  

You can choose to lift it indefinitely which essentially removes your freeze. You can choose to release it for a set time period, after which time the freeze returns (most bureaus use the temporary mode for this behavior) or you can choose to generate and provide a pin/password that a specific creditor can use to query your credit.

While it is beneficial to start with a pin/password, many folks who are executing credit screening don’t have access (due to using a third party service) or have no idea how (it’s not very popular, yet) to use a PIN to access an individual’s credit history.  In those cases, opening all bureaus and setting the temporary window to the time they’ll be querying is your best bet.

What does this mean long term?

If you optimize your unfreezing for only those bureaus actually being queried, ONLY the bureaus that were used to provide hard hits against will have your accounts on record, they will also all only get your address” information during those brief periods of unfreezing, so it is possible for the addresses to get out of sync (why you need to keep track of them.)

It’s recommended to manually update your bureau addresses during your unfreezes if you want to maintain a single address, it makes it a whole lot easier.

Tuesday, September 8, 2015

Apollo 6 and the wiring fuckup

About two years ago I had the pleasure of visiting the Johnson Space Center and managed to sneak into the Saturn V exhibit when nobody was around.  Now I mean that literally, the exhibit was completely empty.

After spending some time looking at the massive F-1 engines (scale is so difficult to convey, but imagine a tanker big rig, and the width of the engine bell is wider than that.)  The first stage is so massive it defies modern thinking.  We still haven't built something so large since.  It's a marvel sitting on it's side.  One can literally only imagine how it looked for it's all-up testing and launching.  It is a massive monstrosity.  It was also designed in the 60s and had incredibly tight tolerances.

Every system manager was asked to "make it lighter."  Fueled and on the pad, the vehicle weighed almost 3 thousand metric tons.  All of that mass to lift 120 tons to orbit.  Less than 4% seems like such a minuscule amount when it comes down to it.  But in 1960 slide rules and gray-matter brought men to the stars.  The Apollo program was no exception.

After having snuck into the Saturn V exhibit (it wasn't locked, and it was a Sunday afternoon) I found myself standing in front of the second stage, looking into the interstage.  It was massive, and amazing.  At each tier of the rocket, it shrank slightly and the second stage was still seemingly massive.  Inside the interstage were huge copper connectors, oxidized from exposure to the Houston weather for decades.

Connected with small dollops of solder were individual wires.  The wires are unwrapped (you can see them today) and ran along the most economical route in the interstage to their corresponding terminal.  But there are hundreds of them.  One familiar with electrical engineering can see, and easily understand how Apollo 6 happened.  The hundreds of wires individually ran would each require a human connect and isolate each terminal.

The massive undertaking would have to be repeated at every interconnection and then again at every component that needed to be telemetered, or controlled.  Thousands of terminals would need to be connected correctly and one simple mislabeling or miswiring would easily have accounted for Apollo 6's unfortunate Engine.  From teh wiki "Unfortunately, the command signals for engine three were partially cross-wired with engine two, so that the shutdown of engine two caused a liquid oxygen valve for engine three to close, resulting in a shutdown of that engine as well." 

It's easy to see why this was the assumption.  It would have been easy, even under immense scrutiny, to mistakenly wire one engine as another.  

I stood in front of the open interstage in awe, the massive effort, the hundreds of thousands of man hours, and all even then a simple human fuckup nearly caused a flight failure.
Overall, outside the aerospace community most people don't realize that Apollo 6 was an almost complete fuckup.  It didn't have a Hollywood Apollo 13 rendition, or even a discovery channel review of near misses.  It didn't rate like the shuttle repair of the Hubble, or like the moon landings. 

Nobody remembers the near misses that still succeed, as misses.  They're successes.  Engineers will still suffer over the failure, make the system better overall, and attempt to prevent the same thing from happening again.  Which is exactly what engineers do, but we should recognize this as what it was.   A near hit that superb engineering had nonetheless designed around the entirely improbable, but nonetheless very realized, eventuality.

Gazing at this massive racetrack of individualy isolated 20mm wires I still revel in amazement at the complexity of the design.  Next time I'm there I'll see if I can get a picture inside the interstage, it's remarkably unremarkable, but I still think worth documenting for historical purposes.

Sunday, August 30, 2015

Current Projects

This is really just a list of projects I'm planning on doing.  Each item warrants a post of it's own.

  1. Electronics
    1. Hand Wired Neutrino Keyboard
    2. Defcon 23 - DCDarknet Badge
    3. RFID Cloner (from the Hardware hacking village)
    4. Custom handheld keyboard (Maybe a chording layout?)
  2. Software
    1. (Nexus 6) Android in Memory PIN brute forcer
    2. Zoneminder RasPi setup
    3. Sniffer/MHN homebrew setup (Docker instead of vagrant maybe?)

Saturday, August 29, 2015

New Keyboard

I'm working on putting together a Neutrino from Ortholinear keyboards.  It's essentially a kit that contains an aluminum plate and an aluminum and acrylic case (a bunch of flat pieces really.)  I have built an atomic keyboard before (a kit that's a grid layout and is entirely hand wired.)

It would seem it's a large quantity of work for what is essentially an "imperfect" keyboard by typical standards.  I actually found I really liked the layout when I used it exclusively.  It had the benefit of more vertical movements and less diagonal transition movements with my hands while typing.

Unfortunately it's just off enough (and I don't have multiple Atomic keyboard) so whenever I would go from work to home I would have a period of adjustment.  It drove me nuts.  I loved the layout, and have great keycaps on the keyswitches, but it's just not worth the period of relearning every single day.

Also, when going from a fixed keyboard, such as a laptop, back to the ortholinear it would take the same amount of adjustment.  I'm really talking about 30 seconds or so, but it's enough that the mental adjustment was frustrating.

The Neutrino, by contrast, is normally a hand wired standard offset keyboard.  Assembled it would, presumably, have no real adjustment time since it would be the same offset as any other qwerty keyboard one uses daily.  This seemed like the perfect design for me.  I have built several keyboards, and they all aren't quite the layout I want.  The Neutrino is nearly exactly the layout I would design if I was doing it from the start.  I started out and bought a kit (top and bottom plates plus a middle divider made from acrylic.)

The work I did on the atomic keyboard gave me experience when it comes to how keyboards really work.  I decided I was going to try and make my life easier.

For some idea of what it takes, a member of the mechanicalkeyboards subreddit livestreamed soldering a planck keyboard (which is ~20% less complicated than an Atomic.)  It took him more than 6 hours to complete from start to finish.

Since the process of hand wiring a keyboard is so incredibly time intensive, I had decided I was going to try and make the process easier.   Having also built a phantom, and an infinity v60 keyboard I knew how beneficial using a PCB was to creating a keyboard from scratch.

It is so much easier to solder points to a PCB (through hole points) than it is to solder individual wires and diodes to each other by hand.  With a little research I found the "enabler" pcbs.  They are small printed circuit boards that allow for through hole mounting of switches, diodes and leds to.  The caveat being, instead of an integrated circuit board where all switches go into one large board, they are individual PCBs that you have to crosswire between each other.

The image to the right has a few of the PCBs by themselves, and a row of switches soldered to a Neutrino.  At first glance it definitely looks like it will allow an intrepid keyboard creator the ability to make a much cleaner keyboard design.   But that's at first glance.

To give some more clarity let me break down the process for a hand wired board:

Step 1: Insert switches into plate
Step 2: Solder a Diode to one side of the key switch
Step 3: Solder the end of the diode to the next diode (off of the next switch.)
Step 4: Solder the other terminal on the switch to a wire that is connecting vertically to the switch above & below it.

Per switch, you are basically only soldering three times.  For a keyboard composed of roughly 70 keys, you are soldering 210 times.  It actually goes pretty quickly and you can make it look relatively decent after a little practice.

You can see in the image above, the grid layout sort of forms itself with a bit of practice.  While still rudimentary, it can be somewhat orderly.

Unfortunately, the enabler requires 6 solder points per keyswitch (up to 9 if you're using LEDs,)  I hadn't realized this before I started building the keyboard and so I didn't have solid core wire and appropriate gear to strip and solder so many cables.

I will continue to make it work, but at this point the enabler seems like a giant time sink, and I'm seriously regretting not just wiring the keyboard by hand.

Sunday, August 23, 2015

Fun with Gate Codes and iPhone block feature

The management company at the apartment complex I live in refuses to give out a bypass code for the door. That means delivery people are basically fucked (have to call, or wait for someone to come through the gate.)

They do let you have an "interactive" gate access of sorts by calling your phone and then you press 9 to open the gate. Knowing a little about telephony I figured I could give them a SIP DID that I had somewhere and setup something on Asterix. I did them one better however.

Since I recently switched to an iPhone I have the "block" feature easily accessible. I figured I would use it to make the process a great jimmy rig. I setup my greeting to have the unlock DTMF as the first notes it plays and then blocked the source number for the gate.

Low and behold, one ring later I have an automatic gate code so I can get back in when I'm jogging or delivery folks can drop packages off without a code.

Wednesday, March 30, 2011

Trust in Comodo, no really...

Contrary to popular belief (and self subscribed insantiy) Comodo is not "Hacker Proof" After the breach earlier this year at GlobalTrust It should come as no surprise that they have had yet another breach. Their CEO commented that We are rolling out improved authentication for all RA accounts. We are implementing both IP address restriction and hardware based two-factor authentication. The rollout of two-factor tokens is in progress but will take another couple of weeks to complete. Until that process is complete Comodo will review 100% of all RA validation work before issuing any certificate Reading statements like that, anyone who's studied for the CISSP in the past half decade could have told you two-factor tokenization was the norm at big shops like Verisign. Perhaps that's why Comodo's offerings are so much cheaper than the majority of their competitors. I guess trust really does have a pricetag.

Tuesday, December 28, 2010

Net Neutrality

Again, it's been in the news for a while and talking heads just DON'T GET IT. Which is no surprise, they aren't paid to get it. They're paid to push Snapple. So I wrote my congressman, to make it pretty clear what the issue is, as I'm sure they aren't fully aware. To be clear, this isn't a slight on politicians, but ask a lawyer you know what they know about net neutrality and you'll get a good idea how most congresspeople see the issue.


I know something as misunderstood as Net Neutrality is getting a lot of talk time with the pundits du jour, but I feel obligated to voice my concern. I understand the largest concerns being voiced are those of the largest "people" Google on one side and ATT on the other. The thing to be aware of here is that Google seems to be on the side of the people in this. They hold more fiber than any other entity in the United States.

The people of the US are already subject to traffic shaping and prioritization by their providers. This has been a well known fact by those of us in the industry who have to manage these devices. Netflix, Hulu, Amazon's digital download services (and soon Google TV) are threatening current content providers business models. This is to be accepted, as the Internet is still evolving the way we do business. The problem is the content providers also own the cables that run into our home. To use a bad analogy, the tubes are being squeezed into two different sections: the one the providers offer and the one they don't. If they aren't able to monetize the traffic they are putting it at a lower priority to your home.

The difficulty here is, some prioritization is good. For instance if you buy your phone service through this provider, you want the phone calls to come through even if your family is watching a TV show. But since there is no regulation in this area, there's no difference to the end users if the provider does the same thing to their Movie Service (TM) over Netflix or Hulu. This is clearly an abuse over the local monopolies we the American people have allowed the providers to hold.

As a congressman from the Tech State, I would hope you have heard from many people in this regard and work with your peers to present a rational (and easily understood) front to this threat to our digital democracy.

I'd urge many to do the same, as the more people advertising this the better. We, the American People, need to make sure our representatives understand our concern. We don't have a lobby that does it for us.