[asterisk-biz] ANI

Trixter aka Bret McDanel trixter at 0xdecafbad.com
Mon May 12 16:10:00 CDT 2008


On Mon, 2008-05-12 at 16:28 -0400, Jay R. Ashworth wrote:
> As I noted, I'm perfectly happy to let aggregators do it by contract;
> the hammer that will fall on them is big enough that I don't think they
> need to validate a second (or third) time.


well verification is a particularly hard thing to do correctly.  For
example, e164.org will call the phone number then place the route.  This
is not (or so it seems) done at intervals later on, which means you can
get a number, verify it, release it to someone else, get a new one, and
so on.  You would end up with a bunch of numbers you only owned long
enough to get verified, and now belong to others, allowing you to hijack
their calls.

Ok, so that is a problem with e164.org, but taking the verification
thing further, how exactly do you propose to do this for all the
customers that you have?  If you place a phone call, it only proves that
they (or a disgruntled employee) has access to that number at that
particular point in time, it does not verify anything for the future.
Signed documents asserting that a number is valid again only mean they
are valid at that point in time, which means that you have to somehow
hold the customer responsible for telling you that they no longer have
that number, unless and this is where a specific law would come into
play:

The law reads that its illegal to send it or cause it to be sent to a
phone company, and specifically excludes those that just route calls.
Basically the way it seems the florida law is written (based on news
articles about it not the actual statute which I have not read).
Basically it made it illegal if you are spoofing callerid/ani for the
purposes of deceit, but does not make it illegal for a phone company to
transit the bogus data (the whole common carrier status may also help),
nor does it make it illegal to spoof for purposes that do not involve
deceit (such as calling yourself and using it as some type of cookie).

If the laws are written this way, basically itsps only need to sit back
and wait for the subpoenas (which will be hard since most of the time
people only get caller id sometimes ani and if that is spoofed they have
no ability to trace it further - call trace by the phone company often
does not log the BTN which is usually the itsp that connected to the
pstn, using their cdr logs you can trace it back).  

I know personally I have been given subpoenas for customer information,
in one instance it was for numbers I no longer had, in another it was
for someone who was placing calls - a service I did not offer at that
time, and no one even telco employees could figure out how they were
able to place a call with that number if not through me.
-- 
Trixter http://www.0xdecafbad.com     Bret McDanel
Belfast +44 28 9099 6461        US +1 516 687 5200
http://www.trxtel.com the phone company that pays you!




More information about the asterisk-biz mailing list