[VOIPSEC] Truths on "Truth in Caller ID Act"

[Geoff Devine]

I see this as a trust federation.  Today, you can be fairly confident
that a wireline phone connected to the PSTN is not spoofing CallerID.
Today, you can be fairly confident that an MSO PacketCable phone
connected to the PSTN is not spoofing CallerID.  Today, you can be
fairly confident that a cellular telephone connected to a cellular
provider is not spoofing CallerID.  The problem is that there is this
new breed of service providers who should not be allowed into the trust
federation.  You can certainly set up VoIP so it's unlikely that users
will spoof CallerID.  Issue them something like a GSM SIM chip.  Have a
contract with them.  Use AAA methods that are at least as hardened as
what is used today on the cellular network.  If a service provider
doesn't conform to these requirements, they're not allowed to join the
trust federation.  If you don't like it, use a SIP URI rather than an
E.164 number and live in the mayhem created by the IETF.

Geoff

-----Original Message-----
From: J. Oquendo [mailto:sil at infiltrated.net] 
Sent: Thursday, October 05, 2006 10:51 AM
To: Geoff Devine
Cc: voipsec at voipsa.org
Subject: Re: [VOIPSEC] Truths on "Truth in Caller ID Act"

Geoff Devine wrote:
> So....
>
> Why would a "truth in Caller ID" law be bad?  If you placed the burden
> on telephony service providers to prevent spoofed CallerID and made it
a
> crime for an individual to spoof CallerID, I'd classify it as sound
> public policy.
It's not that its a bad idea, it just won't work the way it's pitched. 
First of all, placing the burden of all telephony provider to support 
this may work in the country of origin but it won't work in Nigeria

> If it doesn't happen, my telephone is going to start
> ringing at 3 AM with spoofed calls from Nigeria claiming to be my
> employer or a family member.  Unlike Email spam, a telephone call is a
> very intrusive thing.  There may be an emergency where I absolutely
need
> to have my phone ring at 3 AM.
>
> Geoff
>
>   
I've yet to see one response as to why this will work with proof of it 
working. How does the US government intend on having telephony providers

outside of the US following suit and conforming to this? So let's make 
you a provider with this law passed and create the following scenario: 
<scenario> Yourcompany gets a call from a Nigerian hosted spoofed caller

ID site. Yourcompany passes the call. Yourcompany now gets sued for 
passing that call.</scenario> How much sense does that make to you? 
Makes little to me. There is NOTHING, absolutely NOTHING the United 
States is going to do that will completely stop this from happening 
(spoofing). All that *WILL OCCUR* will be the introduction of frivolous 
lawsuits to Yourcompany since it did not stop this spoofed call from 
coming through your network along with you having to conform to this 
"Truth in Caller ID" policy as well as Yourcompany spending money on 
"compliant" equipment that you *HOPE* will stop this from happening.

So how is it a bad idea, simple, its may be practical in the United 
States, but worldwide it means nothing.

Mpierce1 at aol.com wrote:

 >. It can not be, if used as defined in American National Standard
T1.625
 > and several equivalent ITU-T Recommendations.

Note the word "Recommendations"

 > , the industry finds ways to stop the abuse, so that the telephone
 > system continues to be a fairly secure, protected way for people to
 > communicate. The use of CLI for identification is appropriate for 
certain purposes.

Using CLI for identification purposes is moronic from my view hence my 
previous example that I shall re-paste: If I stepped into a bank and 
asked to make a courtesy call, I can engineer information from someone 
since (what you call verifiable and ABSOLUTE) CID will show the 
information from a bank. Takes no technology to pull this off.

 >  It seems that part of the
 > original comment was based on a belief that there are perfectly good,
 > legitimate reaons for spoofing CLI.

There is no perfectly legitimate reason so this was not a portion of the

original post I made. The original point I was making was and will 
continue to be that this is a moronic law which will 1) cost more 
carriers money to conform to, 2) not deter someone from spoofing (it may

in the US but the US is not the world's government).

 > And it results in things like the ridicule of a proposed US
 > law (which began this string) which tries to deal with this emerging 
scourge
 > on our communication system.

It is ridiculous and imposing nothing more nothing less.

So here is your sane response to your comments and something of a 
reverse role.... China, Korea, Russia and the EU have decided that when 
calls come into their countries, their caller ID's should NOT pass 
information. Their governments decided it was intrusive to their people 
to have information being passed over telephony so they've decided to 
make a law that states "Should any telco pass any information through 
telephony, they can be held liable for invasion of privacy. Those not 
conforming to this standard will be fined". US carriers pass information

off to these countries and lawsuits begin. ChinaTelephonyCo is suing 
USTelcoCom for not following their rules and passing on CID information.

Is that fair? This is what you're purporting here in a reverse fashion.

US GOVERNMENT: If someone from anywhere passes off *SOMETHING WE DON'T 
LIKE* they will be held liable for breaking the law.

Sounds Dictatorish to me and it won't work. It won't work because there 
is nothing under the sun at this point in time I can find to cite, 
quote, ponder on, etc., that proves me wrong other than someone's 
personal view.

-- 
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net 

The happiness of society is the end of government.
John Adams