[asterisk-users] Suing Dell||Dull Computers for CID abuse
J. Oquendo
sil at infiltrated.net
Tue Jul 3 06:20:36 CDT 2007
Reposted to this list: (http://lists.virus.org/voipsec-0610/msg00046.html)
> That's exactly the type of thing that needs to be stopped. If Dell
outsourcing calls me from India, the CLI must be their number in India
not a faked-in number of some office in the US. That to me is exactly
the purpose of this proposed law. It is equivalent to the law regarding
FAX calls that has been around for a long time.
>
Here is the single biggest issue facing anything anyone on this
list can speak about: "Validation". Let's be realistic here using
(again) Dell. We know based on someone's accent and lack of proper
use of grammar, they are not speaking to us from a location in
the USA. How can we "validate" that such instance is illegal. It
would be hearsay because all we have is a notion without factual
evidence. So how does anyone propose addressing a situation such
as this.
It's not like there is a reverse-ip-to-DID lookup from switch to
switch implementation going on. Even if someone were insane enough
to attempt to engineer a feat such as that, what would happen when
numbers get ported. It would be an engineering nightmare. So how
would one propose a fix for validating the origination of a number.
All I can see happening is stronger and more ingenious methods
someone would find to circumvent that NEW fix. Lose lose situation
if you ask me.
>
> Well, millions of people subscribe to CLI and use it to decide
whether or not to answer the phone, and to block calls that do not
provide CLI. I would say that it is a valuable use to a lot of people.
That purpose doesn't require 100% validation.
>
What happens when CLI is meaningless to the majority. To me, CLI
has been semi meaningless. While I do use it to sift through calls I
want to pick up or not, I don't use it as a source of validation.
Maybe its based on what I know and have seen. Slowly, many of my non
technical friends sometimes refuse to answer the phone because the
CLI is false, and my non technical friends know this based on
answering calls from non working 800 numbers. This signifies to me
that there are others aware of the current situation regarding bogus
CLI. It also signifies to me that slowly others aren't taking CLI so
serious anymore. And when I say others, I'm meaning other people
outside of the networking, security, technology field. Think about
it, farmer John who is 50 a computerphobe who knows that caller ID
can't be trusted. That says something to me. Because it *IS* coming
from the VoIP end of things, its sad, but because of the logic (the
hard coded, stone cold logic) of networks, people, etc., a law won't
prevent this by any means.
> In addition, many 800 number subscribers use the CLI to fetch the
calling customer's account information so that it is ready when a person
answers to handle the call. That doesn't need 100% validation.
This is one of the dangers I am speaking of regarding security.
Let's take this situation right now, supposing I dislike you and
have enough information about you. I set out to make life disruptive
for you so I change my CLI to your phone number. First I want to call
the bank (with your information) hopefully I can get someone insane
enough to use caller ID as a source of information. Then, I decide
to call the credit card companies in hopes they're going to bring up
your information based on caller ID, and the scenario goes on and on.
Should a company make a decision based on caller ID? Would you
irrate by their actions? I know I would.
> All of these uses would become useless if a large percentages of the
calls had invalid CLI. Thus the need for the law and for techincal means
to prevent spoofing.
Any law you can dish out will be worthless. Why? Because of the fact
that other countries aren't bound by US rules. So you pass a law in
the US and force (dis)organized criminals to act from abroad. Here is
the hair that will break the camel's back: Russian (dis)organized crime
figures break into VoIP services in the US and spoof CLI information.
Honest law abiding companies will have to pay for their actions via
suits and breaking the law since they passed off incorrect CLI
information.
Is this fair? What about overseas companies passing off bogus information,
what mechanisms exist for checking the validity of where the call is
coming from? E.g.:
Russian-VoIP-ISP.com is a known VoIP despot who routes calls through
some point to point in the US. That point to point routes it through
Level3 down the chain, there is no mechanism I know of that can do
reverse checking to validate that this number is coming from a
legitimate source. Is this Level3's fault? Even if there were a
mechanism in place, what happens on a failure when a provider has to
route calls through another junction point?
> I presume from your comment that you, like others in the
Internet/VoIP arena I have corresponded with, believe that the PSTN did
everything wrong and that VoIP is doing everything correctly.
I don't think the PSTN did anything worse or better than VoIP, in
fact I would prefer to rely on the PSTN than VoIP for certain reasons.
1) With the PSTN, any utility company, emergency service company knows
with 100% accuracy that a copper line with the number 12035551212 is
coming from 1 Main Street, New Haven as opposed to VoIP's 12035551212
being registered via some pre-filled out form, stating at the point
in time that the form was submitted, it was at 1 Main Street however,
it truly might not be at that location anymore. Someone may have
moved their ATA or server.
As for things VoIP has done better? The only thing that comes to me
thusfar is saved someone money. Anyhow, I think this was a pretty
good discussion on the topic, but bottom line if you ask me, Truth
in Caller ID does nothing more than give a politician something to
boast about during election time. Nothing more.
--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g'
"Wise men talk because they have something to say;
fools, because they have to say something." -- Plato
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5157 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20070703/aa06c133/attachment.bin
More information about the asterisk-users
mailing list