Bill Michaelson wrote:> Alex Balashov wrote:
>> Steve Totaro wrote:
>>
>>
>>> This make more sense:
>>> Open WiFi AP (or cracked WEP) ----> hacked Asterisk box (who
sets the
>>> CID/ANI ----> Telco ------> terminated to the PSTN
>>>
>>
>> Well, sure, but you can do far worse things than spoof ANI/CID with
that
>> kind of mischief. The sort of things generated in the scenario you
>> described are hard to track down whether they're telephony-related
or not.
>>
>>
> Precisely right, and in the general case, it seems that the essential
> problem is the lack of general awareness that certain forms of
> identification are unreliable. Thus the perceived need to clear the
> innocent. And also, perhaps, the reason for excessive apathy about
> the (general) problem in many corners.
>
> Referring back to my earlier suggestion about public key
> authentication, a more widespread appreciation and understanding of
> it's applicability in various realms would go a long way toward
> helping solve many problems ranging from spam and phishing to stuff
> like this. It's a mind-share/social problem. There is nothing
> inherently wrong with spoofing; the problems arise when the receiver
> is unduly deceived.
>
I motion that this thread be moved to the Asterisk Users (already copied
to Users List)
For those that do not subscribe to the Biz list, this thread may be
interesting to you.
http://lists.digium.com/pipermail/asterisk-biz/2008-May/subject.html
I am done giving examples of what could be done as far as current
exploits. The purpose was to clue some people into what can actually be
done that could cause *real harm*.
I would like to see what Bill and others can offer as solutions. This
particular issue could result in many forms of real harm and is worth
more discussion.
*Maybe the "Asterisk Community" can do more than talk about Asterisk.
We are numerous, smart, and many are influential or have influential
contacts.*
Thanks,
Steve Totaro