[asterisk-users] Is there a public blacklist of hackers' IPaddresses?

SIP sip at arcdiv.com
Thu Mar 26 08:38:53 CDT 2009 

randulo wrote:
> On Thu, Mar 26, 2009 at 1:32 PM, SIP <sip at arcdiv.com> wrote:
>   
>> As an end-point ITSP, I can assure you, it would be us who's assessed
>> the requisite charges. If someone uses a fraudulent card, we're required
>> to pay. If someone uses a three letter password on his account, and it's
>> hacked into and uses to rack up charges, we have to pay.
>>     
>
> Neil,
>
> It hadn't occurred to me when writing it, but obviously there are
> situations that don't match the banking paradigm. For example, suppose
> I run my own asterisk, I have a contract with a company like yours and
> you have my banking info with an authorization to top up. If the fraud
> is someone on the banking end (hacked my card details for example)
> that's covered by the bank. But if they brute force hacked my asterisk
> install because the extension, the username and the secret are all
> '2005' and then make $100k worth of calls, people like lawyers and
> judges won't easily see that it's the asterisk install that's
> responsible, not your company or even the bank. I wonder what steps
> can be taken legally right now to make responsibilities clearer to the
> legal world?
>
> I once had a guy break in to my house and call his girlfriend in
> Mexico about 50 times in  two weeks. When I called Pacific Bell, the
> operator placed a call to the number, the woman (stupidly!) admitted,
> "yes I know Luis, he calls me all the time" and even though the
> operator heard this, PB still refused to exempt those charges and go
> after the guy.
>
> I closed my PB account and opened a new one under a variation of my name.
>
> /r
>
>   

Indeed, the old method of this sort of fraud involved a lineman's
handset or a phone modified with alligator clips to attach to the NID
outside the home of someone not in town, thereby being able to call long
distance on someone else's bill.  I've heard of NO cases in which the
phone company accepted liability for those charges, even if they forgot
to lock the NID itself. For all intents and purposes, it's a
telco-installed back door into your system with poor overall security.

The problem with getting the legal system to understand whose
responsibility this is is a difficult one. Politics and an overall lack
of good, unbiased information has always affected legislation and, as
such, jurisprudence. Politicians neither know nor tend to care about the
finer points of technology and how it may be used. They rely on advisors
to tell them the bullet-point version of any issue before they make a
snap decision on whether it's expedient to back it legislatively. These
advisors are either lobbyists, PACs, or advised by such, and all of them
have an agenda. I can assure you that the agenda of the home or home
business with Asterisk is not heard. Ever.

This leaves a judge to make a decision should it come to court, and it
could go either way, but it would be a messy and expensive battle, and
the decision of the judge would be tempered by what's written into the
law, which right now is hardly kept up to date for modern technologies.

In a situation like ours, we'd be dealing with legal systems in a
variety of countries, which would make things even more complex.

I think step one in this sort of fight is, and has always been, having a
true political voice that can be heard above the din of established
special-interest groups. The VON Coalition was an idea like this, but
it's an incredibly exclusive membership -- designed for companies making
hundreds of millions if not billions a year in revenue. With minimum
annual dues of $10,000 or more, it's quite reasonable as a
semi-democratic organisation for business making $500,000,000 a year.
For smaller companies, it's laughable. And so, the voices heard are the
ones which were heard before -- the AT&Ts, the British Telecoms, the
Comcasts, and the Verizons of the world. It becomes just another avenue
to get the same political point across.  A second opinion that's
guaranteed to be the same as the first, as it were.

And so, in answer to your question, I don't think there ARE necessarily
steps that can be taken right now to ensure that there's a rational
approach to the resolution of such an issue of fraud. Barring some sort
of major legal precedent, it's going to be anyone's guess how the
verdict comes out in the end.


-- 
Neil Fusillo
CEO
Infinideas, inc.
http://www.ideasip.com

More information about the asterisk-users mailing list