Re: [liberationtech] Receiving phone verification and 2-Step Verification codes through a 'number inside Iran'
Geographical numbers (i.e. the number which an SMS is sent from) can be purchased by a telecoms company, e.g. an SMS gateway supplier, relatively easily. It does not necessarily mean the message is sent from a company within Iran. Once the message is delivered to the Iranian telco, then thats a different matter. On 16 Jan 2015, at 17:44, Amin Sabeti aminsab...@gmail.com wrote: Google has sent its codes via SMS with Iranian number since 6 months ago. On 16 January 2015 at 17:39, Collin Anderson col...@averysmallbird.com wrote: On Fri, Jan 16, 2015 at 12:10 PM, elham gheytanchi elhamu...@hotmail.com wrote: I think it means the codes are generated by the state agencies. They are not, the international companies would contract with an SMS gateway to send codes. That SMS gateway should be a more or less a dumb pipe that transmits whatever it is sent by the provider. It so happens that now the pipe is closer to the user but the source stays the same. The SMS gateway and telecommunications companies can certainly surveil or modify the content (the latter wouldn't be useful for 2FA), but it should not generate the codes. -- Collin David Anderson averysmallbird.com | @cda | Washington, D.C. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Receiving phone verification and 2-Step Verification codes through a 'number inside Iran'
On Fri, Jan 16, 2015 at 10:42 AM, Nariman Gharib nariman...@gmail.com wrote: I want to know anybody here know is it a big deal or not and how we can solve this issue? Their SMS partner probably now has a relationship with a local telecommunications services company. I'm not sure it's anymore dangerous than if the messages were from an international number since it's all equally accessible to interception, which is not to say there isn't concerns in that regards. I should hope those codes wouldn't be generated by a service accessible by Iranian authorities. -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Receiving phone verification and 2-Step Verification codes through a 'number inside Iran'
I think it means the codes are generated by the state agencies. From: col...@averysmallbird.com Date: Fri, 16 Jan 2015 11:23:12 -0500 To: liberationtech@lists.stanford.edu Subject: Re: [liberationtech] Receiving phone verification and 2-Step Verification codes through a 'number inside Iran' On Fri, Jan 16, 2015 at 10:42 AM, Nariman Gharib nariman...@gmail.com wrote: I want to know anybody here know is it a big deal or not and how we can solve this issue? Their SMS partner probably now has a relationship with a local telecommunications services company. I'm not sure it's anymore dangerous than if the messages were from an international number since it's all equally accessible to interception, which is not to say there isn't concerns in that regards. I should hope those codes wouldn't be generated by a service accessible by Iranian authorities. -- Collin David Andersonaverysmallbird.com | @cda | Washington, D.C. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Receiving phone verification and 2-Step Verification codes through a 'number inside Iran'
On Fri, Jan 16, 2015 at 12:10 PM, elham gheytanchi elhamu...@hotmail.com wrote: I think it means the codes are generated by the state agencies. They are not, the international companies would contract with an SMS gateway to send codes. That SMS gateway should be a more or less a dumb pipe that transmits whatever it is sent by the provider. It so happens that now the pipe is closer to the user but the source stays the same. The SMS gateway and telecommunications companies can certainly surveil or modify the content (the latter wouldn't be useful for 2FA), but it should not generate the codes. -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Receiving phone verification and 2-Step Verification codes through a 'number inside Iran'
Google has sent its codes via SMS with Iranian number since 6 months ago. On 16 January 2015 at 17:39, Collin Anderson col...@averysmallbird.com wrote: On Fri, Jan 16, 2015 at 12:10 PM, elham gheytanchi elhamu...@hotmail.com wrote: I think it means the codes are generated by the state agencies. They are not, the international companies would contract with an SMS gateway to send codes. That SMS gateway should be a more or less a dumb pipe that transmits whatever it is sent by the provider. It so happens that now the pipe is closer to the user but the source stays the same. The SMS gateway and telecommunications companies can certainly surveil or modify the content (the latter wouldn't be useful for 2FA), but it should not generate the codes. -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Receiving phone verification and 2-Step Verification codes through a 'number inside Iran'
I think regardless of its sender, since the authority can read the SMS it would be better to ask users inside the country to use the app rather than a mobile phone number. On 16 January 2015 at 12:44, Amin Sabeti aminsab...@gmail.com wrote: Google has sent its codes via SMS with Iranian number since 6 months ago. On 16 January 2015 at 17:39, Collin Anderson col...@averysmallbird.com wrote: On Fri, Jan 16, 2015 at 12:10 PM, elham gheytanchi elhamu...@hotmail.com wrote: I think it means the codes are generated by the state agencies. They are not, the international companies would contract with an SMS gateway to send codes. That SMS gateway should be a more or less a dumb pipe that transmits whatever it is sent by the provider. It so happens that now the pipe is closer to the user but the source stays the same. The SMS gateway and telecommunications companies can certainly surveil or modify the content (the latter wouldn't be useful for 2FA), but it should not generate the codes. -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- S.Aliakbar Mousavi -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Receiving phone verification and 2-Step Verification codes through a 'number inside Iran'
I think that's reasonable, not only due to the potential for interception or blocking of the messages, but also because these usually have a shorter lifespan, which should provide some added protection against the phishing of 2FA codes. On Fri, Jan 16, 2015 at 12:54 PM, S.Aliakbar Mousavi mousavi.s...@gmail.com wrote: I think regardless of its sender, since the authority can read the SMS it would be better to ask users inside the country to use the app rather than a mobile phone number. On 16 January 2015 at 12:44, Amin Sabeti aminsab...@gmail.com wrote: Google has sent its codes via SMS with Iranian number since 6 months ago. On 16 January 2015 at 17:39, Collin Anderson col...@averysmallbird.com wrote: On Fri, Jan 16, 2015 at 12:10 PM, elham gheytanchi elhamu...@hotmail.com wrote: I think it means the codes are generated by the state agencies. They are not, the international companies would contract with an SMS gateway to send codes. That SMS gateway should be a more or less a dumb pipe that transmits whatever it is sent by the provider. It so happens that now the pipe is closer to the user but the source stays the same. The SMS gateway and telecommunications companies can certainly surveil or modify the content (the latter wouldn't be useful for 2FA), but it should not generate the codes. -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- S.Aliakbar Mousavi -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.