asterisk users - Jul 2007 - Suing Dell||Dull Computers for CID abuse

Reposted to this list: (http://lists.virus.org/voipsec-0610/msg00046.html)


 > That's exactly the type of thing that needs to be stopped. If Dell 
outsourcing calls me from India, the CLI must be their number in India 
not a faked-in number of some office in the US. That to me is exactly 
the purpose of this proposed law. It is equivalent to the law regarding 
FAX calls that has been around for a long time.
 >

Here is the single biggest issue facing anything anyone on this
list can speak about: "Validation". Let's be realistic here using
(again) Dell. We know based on someone's accent and lack of proper
use of grammar, they are not speaking to us from a location in
the USA. How can we "validate" that such instance is illegal. It
would be hearsay because all we have is a notion without factual
evidence. So how does anyone propose addressing a situation such
as this.

It's not like there is a reverse-ip-to-DID lookup from switch to
switch implementation going on. Even if someone were insane enough
to attempt to engineer a feat such as that, what would happen when
numbers get ported. It would be an engineering nightmare. So how
would one propose a fix for validating the origination of a number.
All I can see happening is stronger and more ingenious methods
someone would find to circumvent that NEW fix. Lose lose situation
if you ask me.

 >
 > Well, millions of people subscribe to CLI and use it to decide 
whether or not to answer the phone, and to block calls that do not 
provide CLI. I would say that it is a valuable use to a lot of people. 
That purpose doesn't require 100% validation.
 >

What happens when CLI is meaningless to the majority. To me, CLI
has been semi meaningless. While I do use it to sift through calls I
want to pick up or not, I don't use it as a source of validation.
Maybe its based on what I know and have seen. Slowly, many of my non
technical friends sometimes refuse to answer the phone because the
CLI is false, and my non technical friends know this based on
answering calls from non working 800 numbers. This signifies to me
that there are others aware of the current situation regarding bogus
CLI. It also signifies to me that slowly others aren't taking CLI so
serious anymore. And when I say others, I'm meaning other people
outside of the networking, security, technology field. Think about
it, farmer John who is 50 a computerphobe who knows that caller ID
can't be trusted. That says something to me. Because it *IS* coming
from the VoIP end of things, its sad, but because of the logic (the
hard coded, stone cold logic) of networks, people, etc., a law won't
prevent this by any means.

 > In addition, many 800 number subscribers use the CLI to fetch the 
calling customer's account information so that it is ready when a person 
answers to handle the call. That doesn't need 100% validation.

This is one of the dangers I am speaking of regarding security.
Let's take this situation right now, supposing I dislike you and
have enough information about you. I set out to make life disruptive
for you so I change my CLI to your phone number. First I want to call
the bank (with your information) hopefully I can get someone insane
enough to use caller ID as a source of information. Then, I decide
to call the credit card companies in hopes they're going to bring up
your information based on caller ID, and the scenario goes on and on.
Should a company make a decision based on caller ID? Would you
irrate by their actions? I know I would.

 > All of these uses would become useless if a large percentages of the 
calls had invalid CLI. Thus the need for the law and for techincal means 
to prevent spoofing.

Any law you can dish out will be worthless. Why? Because of the fact
that other countries aren't bound by US rules. So you pass a law in
the US and force (dis)organized criminals to act from abroad. Here is
the hair that will break the camel's back: Russian (dis)organized crime
figures break into VoIP services in the US and spoof CLI information.
Honest law abiding companies will have to pay for their actions via
suits and breaking the law since they passed off incorrect CLI
information.

Is this fair? What about overseas companies passing off bogus information,
what mechanisms exist for checking the validity of where the call is
coming from? E.g.:

Russian-VoIP-ISP.com is a known VoIP despot who routes calls through
some point to point in the US. That point to point routes it through
Level3 down the chain, there is no mechanism I know of that can do
reverse checking to validate that this number is coming from a
legitimate source. Is this Level3's fault? Even if there were a
mechanism in place, what happens on a failure when a provider has to
route calls through another junction point?

 > I presume from your comment that you, like others in the 
Internet/VoIP arena I have corresponded with, believe that the PSTN did 
everything wrong and that VoIP is doing everything correctly.

I don't think the PSTN did anything worse or better than VoIP, in
fact I would prefer to rely on the PSTN than VoIP for certain reasons.
1) With the PSTN, any utility company, emergency service company knows
with 100% accuracy that a copper line with the number 12035551212 is
coming from 1 Main Street, New Haven as opposed to VoIP's 12035551212
being registered via some pre-filled out form, stating at the point
in time that the form was submitted, it was at 1 Main Street however,
it truly might not be at that location anymore. Someone may have
moved their ATA or server.

As for things VoIP has done better? The only thing that comes to me
thusfar is saved someone money. Anyhow, I think this was a pretty
good discussion on the topic, but bottom line if you ask me, Truth
in Caller ID does nothing more than give a politician something to
boast about during election time. Nothing more.


-- 
===================================================J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g' 

"Wise men talk because they have something to say;
fools, because they have to say something." -- Plato


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5157 bytes
Desc: S/MIME Cryptographic Signature
Url :
http://lists.digium.com/pipermail/asterisk-users/attachments/20070703/aa06c133/attachment.bin

On 7/3/07, J. Oquendo <sil at infiltrated.net>
wrote:
>
> Reposted to this list: (http://lists.virus.org/voipsec-0610/msg00046.html)
>
>
> > That's exactly the type of thing that needs to be stopped. If Dell
> outsourcing calls me from India, the CLI must be their number in India
> not a faked-in number of some office in the US. That to me is exactly
> the purpose of this proposed law. It is equivalent to the law regarding
> FAX calls that has been around for a long time.
> >
>
> Here is the single biggest issue facing anything anyone on this
> list can speak about: "Validation". Let's be realistic here
using
> (again) Dell. We know based on someone's accent and lack of proper
> use of grammar, they are not speaking to us from a location in
> the USA. How can we "validate" that such instance is illegal. It
> would be hearsay because all we have is a notion without factual
> evidence. So how does anyone propose addressing a situation such
> as this.

If Dell owns the number, it's not spoofing. Point-to-point T1s and such have
been allowing companies to use toll bypass for years. VoIP just makes it
easier and cheaper. Now, if someone pretends to be Dell in order to sell you
"Dekk" computers, then that's fraud, spoofing, etc.

> This is one of the dangers I am speaking of regarding security.
> Let's take this situation right now, supposing I dislike you and
> have enough information about you. I set out to make life disruptive
> for you so I change my CLI to your phone number. First I want to call
> the bank (with your information) hopefully I can get someone insane
> enough to use caller ID as a source of information. Then, I decide
> to call the credit card companies in hopes they're going to bring up
> your information based on caller ID, and the scenario goes on and on.
> Should a company make a decision based on caller ID? Would you
> irrate by their actions? I know I would.

We are already protected by fraud from everything you mentioned by other
laws. And yet it still happens. So, what purpose will another law serve?
> I presume from your comment that you, like others in the
> Internet/VoIP arena I have corresponded with, believe that the PSTN did
> everything wrong and that VoIP is doing everything correctly.
>
> I don't think the PSTN did anything worse or better than VoIP, in
> fact I would prefer to rely on the PSTN than VoIP for certain reasons.
> 1) With the PSTN, any utility company, emergency service company knows
> with 100% accuracy that a copper line with the number 12035551212 is
> coming from 1 Main Street, New Haven as opposed to VoIP's 12035551212
> being registered via some pre-filled out form, stating at the point
> in time that the form was submitted, it was at 1 Main Street however,
> it truly might not be at that location anymore. Someone may have
> moved their ATA or server.

And yet, the Bells sometimes got the address wrong. And when a PRI got moved
for a company I did work with, their local carrier failed to update the
address in the 911 database. So, it can be screwed up, no matter what
technology is used.

Look, we can spoof CID through our PRI. So what? We've been able to do it
for years. Have we? No, we have no need to. I'm sick and tired of all these
"news" stories about how people can suddenly spoof CID. It's been
going on
for years. And anyone who gives out personal information when receiving a
phone call deserves whatever happens to them. When I got a call from my CC
fraud department, I simply asked for a reference number, and said that I'd
call back on the number on the back of my card. Turns out it was legit, but
it only took me an extra ~30 seconds to be sure.

As for things VoIP has done better? The only thing that comes to
me
> thusfar is saved someone money. Anyhow, I think this was a pretty
> good discussion on the topic, but bottom line if you ask me, Truth
> in Caller ID does nothing more than give a politician something to
> boast about during election time. Nothing more.

Hear hear!
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20070703/650b95e9/attachment.htm

Keep in mind that this law is proposed by the Senator who thinks the
Internet is a series of interconnected "tubes" which can get
"clogged."

What did you expect?

On Tuesday 03 July 2007 7:20 am, J. Oquendo wrote:
> (again) Dell. We know based on someone's accent and lack of proper
> use of grammar, they are not speaking to us from a location in
> the USA. How can we "validate" that such instance is illegal. It
You obviously have not been around any city centre in North America if you 
believe that to be true.  :-)

-A.