[asterisk-biz] NuFone comes through

Julio Arruda jarruda-asterisk at jarruda.com
Sat Dec 9 08:39:04 MST 2006 

cdl at asgaard.org wrote:
> Steve,
> 
> What do you think the local telco does everytime they have to do a diag on your circuit.  Do you think the equipment to do that is somehow "restricted" in who can purchase it?  How do you think CALEA requests are handled.  If you think that you are magically protcted because there are more bits on the line (and a DS-3 is no longer a high-cap circuit) then you are mis-informed.
> 

What I would guess:

With VOIP -> Any remote exploit (think even someone installing some 
malware/rootkit in your softphone, or in the * box) to some link in the 
chain, can be used to intercept the voice path, or even, if you can 
'mess around' with the signaling path, you can make the voice path take 
a detour :-)...

With PSTN only -> You need physical access to facilities in the path, 
OR, a way to 'take over' the CALEA capabilities (that not sure why, I 
think is unlikely)

With this, I guess sRTP would help with the VOIP path


> -----Original Message-----
> From: Steve Totaro <stotaro at totarotechnologies.com>
> Date: Fri, 08 Dec 2006 15:47:18 
> To:Commercial and Business-Oriented Asterisk Discussion <asterisk-biz at lists.digium.com>
> Subject: Re: [asterisk-biz] NuFone comes through
> 
> I would like to see you "tap into" my T3.
> 
> Harry McGregor wrote:
>> Hi,
>>
>> For some reason, everyone freaks out when something touches TCP/IP or
>> the internet.
>>
>> PSTN is not tamper proof, it's very easy to add a tap to almost anyone's
>> house.
>>
>> I dealt with a credit card company recently (HSBC) that when you sign up
>> for web access to your account (with SSN, billing zip, and card number),
>> they insist on mailing you two letters, one with a temporary username,
>> and another with a temporary password, to your billing address.
>>
>> If you called the number on the back of the card, you could get balance
>> info, purchase info, etc, all from the automated voice system.  All you
>> needed was the card number, and the billing zip code.  No last 4 of the
>> ssn, nothing.  They want to look like they are being secure for
>> "internet" banking, but good old bank by phone, well no one really cares
>> about that.
>>
>> I would far prefer encrypted VoIP, or VoIP on a dedicated Vlan over
>> copper interconnects that are easily tapped within a building.
>>
>> VoIP telco connects I still not sure about, but even that, if encrypted,
>> I can't see it as being any less secure than PSTN connectivity.
>>
>>                                               Harry
>>
>>
>> Mike Hammett wrote:
>>   
>>> Well, does HIPPA go into how Verizon, AT&T, Embarq, mom&pop, etc.
>>> run\operate their telco?  If your client is passing off to a telephone
>>> provider, does it matter what happens from there?

More information about the asterisk-biz mailing list