[Asterisk-Users] VOIP Spam

Duane digium at aus-biz.com
Sat Apr 17 19:13:33 MST 2004 

Tracy R Reed wrote:

> No, I haven't. And you are right it is highly unlikely. Knowing that
> someone was going to want to get a key signed, putting the bogus info
> where they would find it, tricking someone into calling you and giving
> them a bogus key, etc. is all very difficult. I think we are going to have
> to give up the notion of 100% security and accept the very small chance
> (orders of magnitude smaller than now) of someone being fooled if we ever
> want to get this stuff deployed.

ongoing man in the middle attacks aren't impossible, the FBI's carnivore 
system is all over the place and in theory could not only sniff but 
inject... Then again there are other methods at the disposal of 
governments...

> Since most cpu's out there in the world spend 80% of their time idle doing
> nothing anyway I don't think it would be quite this bad. :)

What about asterisk servers that are already under load, this would 
multiply the effect, yes most servers would idle most of the time, but 
if you have periods of peak activity this would compound any existing 
problems you get from this...

> Ah. I haven't given too much thought about how it interacts with phone
> systems yet. I'll ponder this one.

I believe there is an RFC on PGP use in browsers, I don't know of anyone 
actually implementing it however...

> Very cool. I am reading up on this stuff.

We wanted a method of dynamic routing so we didn't have an ever growing 
list of extensions and IAX/SIP items not to mention getting away from 
single points of failure that if a service is down you're out of luck, 
it seemed like enum.164 is the only solution to this problem. We wanted 
to do things in such away we could be relatively certain the person we 
were calling was who we were expecting and not a telemarketer etc etc 
that had hijacked a heap of numbers... As far as I'm aware no other enum 
system (even ITU's) currently implements anything that comes close to 
what we were after...

> Indeed. It was just an example of the mail vendors successfully forcing
> something on everyong.

The thing is it didn't stop normal text posts, so yes it tacked added 
functionality on top without denying the existing system, you're 
suggestion doesn't take that into account...

> That is fine. The mail administrator can read everything they type into
> the server anyhow. He can bug their keyboard if he wants. 

Not if you encrypt email at the mail client... He can't bug a remote 
keyboard... Some of the PKI hardware devices are implemented in a 
keyboard and when access the certificate the keyboard direct key strokes 
  directly to the hardware reader rather then via the PC...

> I doubt they would because it would make spamming much more expensive.
> Some might but it makes it much less likely and kills their profits which
> removes the incentive.

What cost? It's trivial to generate both PGP and self signed PKI keys 
using openssl toolkit, spammers could easily pay someone to grab a new 
domain/email/certificate daily, $10 in wages? If they get $1000 in 
profit from $10 in expenses they'd do it...

-- 
Best regards,
  Duane

http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://happysnapper.com.au - Sell your photos over the net!
http://e164.org - Using Enum.164 to interconnect asterisk servers

More information about the asterisk-users mailing list