[asterisk-users] Is there a public blacklist of hackers' IPaddresses?
ContactTel Business
lists at contacttel.com
Thu Mar 26 09:36:35 CDT 2009
Yes, i agree with this !..
People are stupid and or stressed like hell , jumping head first in crap and
then forgetting about what they just said or done.
They "Google some crap question" copy/paste the first result
dialplan/sip.conf stanza etc.. and assume it will work..
<lol>It's open source aint'it ? it should be easy as building cities with
legos...</lol>
So then comes in the problems, instead of understanding the core of the
problem at hand, they jump to quick answers and solutions, which of course
are usually 90% wrong... Google is not an encyclopaedia.. it's an archive of
everyone's thoughts, and notes.
So now you got extension 123 pass 123 context default, where context default
-> include demo... include ld, include International...
Every hacker out there has the tools to check for those, and of course when
the server answers with invalid password instead of something else, it gives
them a hint that 123 is in fact an extension.. they won't BRUTE force
anything, there's so many open SIP boxes out there, it's scary...
It's a vicious circle, people don't learn , so apps like trixbox etc make it
easier for them , which in turns opens up the problems..
Then again are we asking MR smith to learn networking security fundamentals
? programming habbits , etc ?
This is a tool that was made for developers by developers, went mainstream ,
making cash , and now it's a commercial swiss army knife with no crowd
control.
I really like the default #REMOVE ME in some apps to make something work..
as i am too really used to start the damn app without even looking at most
of it.
But once you get hit.. you will get hit hard, and then comes the learning...
Seems that's the society these days.
Contacttel Support
-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of randulo
Sent: March-26-09 9:03 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Is there a public blacklist of hackers'
IPaddresses?
On Thu, Mar 26, 2009 at 1:32 PM, SIP <sip at arcdiv.com> wrote:
> As an end-point ITSP, I can assure you, it would be us who's assessed
> the requisite charges. If someone uses a fraudulent card, we're required
> to pay. If someone uses a three letter password on his account, and it's
> hacked into and uses to rack up charges, we have to pay.
Neil,
It hadn't occurred to me when writing it, but obviously there are
situations that don't match the banking paradigm. For example, suppose
I run my own asterisk, I have a contract with a company like yours and
you have my banking info with an authorization to top up. If the fraud
is someone on the banking end (hacked my card details for example)
that's covered by the bank. But if they brute force hacked my asterisk
install because the extension, the username and the secret are all
'2005' and then make $100k worth of calls, people like lawyers and
judges won't easily see that it's the asterisk install that's
responsible, not your company or even the bank. I wonder what steps
can be taken legally right now to make responsibilities clearer to the
legal world?
I once had a guy break in to my house and call his girlfriend in
Mexico about 50 times in two weeks. When I called Pacific Bell, the
operator placed a call to the number, the woman (stupidly!) admitted,
"yes I know Luis, he calls me all the time" and even though the
operator heard this, PB still refused to exempt those charges and go
after the guy.
I closed my PB account and opened a new one under a variation of my name.
/r
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
More information about the asterisk-users
mailing list