[VOIPSEC] Truths on "Truth in Caller ID Act"

J. Oquendo sil at infiltrated.net
Thu Oct 5 15:51:19 BST 2006 

Geoff Devine wrote:
> So....
>
> Why would a "truth in Caller ID" law be bad?  If you placed the burden
> on telephony service providers to prevent spoofed CallerID and made it a
> crime for an individual to spoof CallerID, I'd classify it as sound
> public policy.
It's not that its a bad idea, it just won't work the way it's pitched. 
First of all, placing the burden of all telephony provider to support 
this may work in the country of origin but it won't work in Nigeria

> If it doesn't happen, my telephone is going to start
> ringing at 3 AM with spoofed calls from Nigeria claiming to be my
> employer or a family member.  Unlike Email spam, a telephone call is a
> very intrusive thing.  There may be an emergency where I absolutely need
> to have my phone ring at 3 AM.
>
> Geoff
>
>   
I've yet to see one response as to why this will work with proof of it 
working. How does the US government intend on having telephony providers 
outside of the US following suit and conforming to this? So let's make 
you a provider with this law passed and create the following scenario: 
<scenario> Yourcompany gets a call from a Nigerian hosted spoofed caller 
ID site. Yourcompany passes the call. Yourcompany now gets sued for 
passing that call.</scenario> How much sense does that make to you? 
Makes little to me. There is NOTHING, absolutely NOTHING the United 
States is going to do that will completely stop this from happening 
(spoofing). All that *WILL OCCUR* will be the introduction of frivolous 
lawsuits to Yourcompany since it did not stop this spoofed call from 
coming through your network along with you having to conform to this 
"Truth in Caller ID" policy as well as Yourcompany spending money on 
"compliant" equipment that you *HOPE* will stop this from happening.

So how is it a bad idea, simple, its may be practical in the United 
States, but worldwide it means nothing.

Mpierce1 at aol.com wrote:

 >. It can not be, if used as defined in American National Standard T1.625
 > and several equivalent ITU-T Recommendations.

Note the word "Recommendations"

 > , the industry finds ways to stop the abuse, so that the telephone
 > system continues to be a fairly secure, protected way for people to
 > communicate. The use of CLI for identification is appropriate for 
certain purposes.

Using CLI for identification purposes is moronic from my view hence my 
previous example that I shall re-paste: If I stepped into a bank and 
asked to make a courtesy call, I can engineer information from someone 
since (what you call verifiable and ABSOLUTE) CID will show the 
information from a bank. Takes no technology to pull this off.

 >  It seems that part of the
 > original comment was based on a belief that there are perfectly good,
 > legitimate reaons for spoofing CLI.

There is no perfectly legitimate reason so this was not a portion of the 
original post I made. The original point I was making was and will 
continue to be that this is a moronic law which will 1) cost more 
carriers money to conform to, 2) not deter someone from spoofing (it may 
in the US but the US is not the world's government).

 > And it results in things like the ridicule of a proposed US
 > law (which began this string) which tries to deal with this emerging 
scourge
 > on our communication system.

It is ridiculous and imposing nothing more nothing less.

So here is your sane response to your comments and something of a 
reverse role.... China, Korea, Russia and the EU have decided that when 
calls come into their countries, their caller ID's should NOT pass 
information. Their governments decided it was intrusive to their people 
to have information being passed over telephony so they've decided to 
make a law that states "Should any telco pass any information through 
telephony, they can be held liable for invasion of privacy. Those not 
conforming to this standard will be fined". US carriers pass information 
off to these countries and lawsuits begin. ChinaTelephonyCo is suing 
USTelcoCom for not following their rules and passing on CID information. 
Is that fair? This is what you're purporting here in a reverse fashion.

US GOVERNMENT: If someone from anywhere passes off *SOMETHING WE DON'T 
LIKE* they will be held liable for breaking the law.

Sounds Dictatorish to me and it won't work. It won't work because there 
is nothing under the sun at this point in time I can find to cite, 
quote, ponder on, etc., that proves me wrong other than someone's 
personal view.

-- 
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net 

The happiness of society is the end of government.
John Adams

More information about the Voipsec mailing list