[VOIPSEC] Truths on "Truth in Caller ID Act"

[Simon Horne]

Geoff

Trust? I think it is very misplaced. There is a difference between the 
actual callerID required by your provider and the display (presented) 
callerID shown to the called party.

It is quite trivial to have a bank of E1/T1 gateways which you connect up 
to an international VoIP clearinghouse, when calls come in, the appropriate 
gateway is selected based on the called number, the CLI is rewritten to a 
random number in the number range of that E1/T1 allocated by the local 
telephone provider and they can select to hide or just copy the displayname 
straight off the incoming SIP message as the display caller ID.  The VoIP 
termination provider may have no idea where that call actually came from, 
your telephone company is happy because they receive a valid CLI and you, 
as the called party, are still lumped with a hidden (or spoofed) display 
callerID.

So it could still be a Nigerian scam artist calling you in the middle of 
the night but to you on the caller ID, it could look like the whitehouse.

Simon

At 11:08 PM 5/10/2006, you wrote:
>I see this as a trust federation.  Today, you can be fairly confident
>that a wireline phone connected to the PSTN is not spoofing CallerID.
>Today, you can be fairly confident that an MSO PacketCable phone
>connected to the PSTN is not spoofing CallerID.  Today, you can be
>fairly confident that a cellular telephone connected to a cellular
>provider is not spoofing CallerID.  The problem is that there is this
>new breed of service providers who should not be allowed into the trust
>federation.  You can certainly set up VoIP so it's unlikely that users
>will spoof CallerID.  Issue them something like a GSM SIM chip.  Have a
>contract with them.  Use AAA methods that are at least as hardened as
>what is used today on the cellular network.  If a service provider
>doesn't conform to these requirements, they're not allowed to join the
>trust federation.  If you don't like it, use a SIP URI rather than an
>E.164 number and live in the mayhem created by the IETF.
>
>Geoff
>
>-----Original Message-----
>From: J. Oquendo [mailto:sil at infiltrated.net]
>Sent: Thursday, October 05, 2006 10:51 AM
>To: Geoff Devine
>Cc: voipsec at voipsa.org
>Subject: Re: [VOIPSEC] Truths on "Truth in Caller ID Act"
>
>Geoff Devine wrote:
> > So....
> >
> > Why would a "truth in Caller ID" law be bad?  If you placed the burden
> > on telephony service providers to prevent spoofed CallerID and made it
>a
> > crime for an individual to spoof CallerID, I'd classify it as sound
> > public policy.
>It's not that its a bad idea, it just won't work the way it's pitched.
>First of all, placing the burden of all telephony provider to support
>this may work in the country of origin but it won't work in Nigeria
>
> > If it doesn't happen, my telephone is going to start
> > ringing at 3 AM with spoofed calls from Nigeria claiming to be my
> > employer or a family member.  Unlike Email spam, a telephone call is a
> > very intrusive thing.  There may be an emergency where I absolutely
>need
> > to have my phone ring at 3 AM.
> >
> > Geoff
> >
> >
>I've yet to see one response as to why this will work with proof of it
>working. How does the US government intend on having telephony providers
>
>outside of the US following suit and conforming to this? So let's make
>you a provider with this law passed and create the following scenario:
><scenario> Yourcompany gets a call from a Nigerian hosted spoofed caller
>
>ID site. Yourcompany passes the call. Yourcompany now gets sued for
>passing that call.</scenario> How much sense does that make to you?
>Makes little to me. There is NOTHING, absolutely NOTHING the United
>States is going to do that will completely stop this from happening
>(spoofing). All that *WILL OCCUR* will be the introduction of frivolous
>lawsuits to Yourcompany since it did not stop this spoofed call from
>coming through your network along with you having to conform to this
>"Truth in Caller ID" policy as well as Yourcompany spending money on
>"compliant" equipment that you *HOPE* will stop this from happening.
>
>So how is it a bad idea, simple, its may be practical in the United
>States, but worldwide it means nothing.
>
>Mpierce1 at aol.com wrote:
>
>  >. It can not be, if used as defined in American National Standard
>T1.625
>  > and several equivalent ITU-T Recommendations.
>
>Note the word "Recommendations"
>
>  > , the industry finds ways to stop the abuse, so that the telephone
>  > system continues to be a fairly secure, protected way for people to
>  > communicate. The use of CLI for identification is appropriate for
>certain purposes.
>
>Using CLI for identification purposes is moronic from my view hence my
>previous example that I shall re-paste: If I stepped into a bank and
>asked to make a courtesy call, I can engineer information from someone
>since (what you call verifiable and ABSOLUTE) CID will show the
>information from a bank. Takes no technology to pull this off.
>
>  >  It seems that part of the
>  > original comment was based on a belief that there are perfectly good,
>  > legitimate reaons for spoofing CLI.
>
>There is no perfectly legitimate reason so this was not a portion of the
>
>original post I made. The original point I was making was and will
>continue to be that this is a moronic law which will 1) cost more
>carriers money to conform to, 2) not deter someone from spoofing (it may
>
>in the US but the US is not the world's government).
>
>  > And it results in things like the ridicule of a proposed US
>  > law (which began this string) which tries to deal with this emerging
>scourge
>  > on our communication system.
>
>It is ridiculous and imposing nothing more nothing less.
>
>So here is your sane response to your comments and something of a
>reverse role.... China, Korea, Russia and the EU have decided that when
>calls come into their countries, their caller ID's should NOT pass
>information. Their governments decided it was intrusive to their people
>to have information being passed over telephony so they've decided to
>make a law that states "Should any telco pass any information through
>telephony, they can be held liable for invasion of privacy. Those not
>conforming to this standard will be fined". US carriers pass information
>
>off to these countries and lawsuits begin. ChinaTelephonyCo is suing
>USTelcoCom for not following their rules and passing on CID information.
>
>Is that fair? This is what you're purporting here in a reverse fashion.
>
>US GOVERNMENT: If someone from anywhere passes off *SOMETHING WE DON'T
>LIKE* they will be held liable for breaking the law.
>
>Sounds Dictatorish to me and it won't work. It won't work because there
>is nothing under the sun at this point in time I can find to cite,
>quote, ponder on, etc., that proves me wrong other than someone's
>personal view.
>
>--
>====================================================
>J. Oquendo
>http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
>sil . infiltrated @ net http://www.infiltrated.net
>
>The happiness of society is the end of government.
>John Adams
>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org