[VOIPSEC] (Missed)Trust in Caller ID Act

[J. Oquendo]

Mpierce1 at aol.com wrote:

>
> That's exactly the type of thing that needs to be stopped. If Dell outsourcing calls me from India, the CLI must be their number in India not a faked-in number of some office in the US. That to me is exactly the purpose of this proposed law. It is equivalent to the law regarding FAX calls that has been around for a long time.
>

Here is the single biggest issue facing anything anyone on this list can speak about: "Validation". Let's be realistic here using (again) Dell. We know based on someone's accent and lack of proper use of grammar, they are not speaking to us from a location in the USA. How can we "validate" that such instance is illegal. It would be hearsay because all we have is a notion without factual evidence. So how does anyone propose addressing a situation such as this.

It's not like there is a reverse-ip-to-DID lookup from switch to switch implementation going on. Even if someone were insane enough to attempt to engineer a feat such as that, what would happen when numbers get ported. It would be an engineering nightmare. So how would one propose a fix for validating the origination of a number. All I can see happening is stronger and more ingenious methods someone would find to circumvent that NEW fix. Lose lose situation if you ask me.

>
> Well, millions of people subscribe to CLI and use it to decide whether or not to answer the phone, and to block calls that do not provide CLI. I would say that it is a valuable use to a lot of people. That purpose doesn't require 100% validation.
>

What happens when CLI is meaningless to the majority. To me, CLI has been semi meaningless. While I do use it to sift through calls I want to pick up or not, I don't use it as a source of validation. Maybe its based on what I know and have seen. Slowly, many of my non technical friends sometimes refuse to answer the phone because the CLI is false, and my non technical friends know this based on answering calls from non working 800 numbers. This signifies to me that there are others aware of the current situation regarding bogus CLI. It also signifies to me that slowly others aren't taking CLI so serious anymore. And when I say others, I'm meaning other people outside of the networking, security, technology field. Think about it, farmer John who is 50 a computerphobe who knows that caller ID can't be trusted. That says something to me. Because it *IS* coming from the VoIP end of things, its sad, but because of the logic (the hard coded, stone cold logic) of networks, people, etc., a law won't prevent this by any means.

> In addition, many 800 number subscribers use the CLI to fetch the calling customer's account information so that it is ready when a person answers to handle the call. That doesn't need 100% validation.

This is one of the dangers I am speaking of regarding security. Let's take this situation right now, supposing I dislike you and have enough information about you. I set out to make life disruptive for you so I change my CLI to your phone number. First I want to call the bank (with your information) hopefully I can get someone insane enough to use caller ID as a source of information. Then, I decide to call the credit card companies in hopes they're going to bring up your information based on caller ID, and the scenario goes on and on. Should a company make a decision based on caller ID? Would you be irrate by their actions? I know I would.

> All of these uses would become useless if a large percentages of the calls had invalid CLI. Thus the need for the law and for techincal means to prevent spoofing.

Any law you can dish out will be worthless. Why? Because of the fact that other countries aren't bound by US rules. So you pass a law in the US and force (dis)organized criminals to act from abroad. Here is the hair that will break the camel's back: Russian (dis)organized crime figures break into VoIP services in the US and spoof CLI information. Honest law abiding companies will have to pay for their actions via suits and breaking the law since they passed off incorrect CLI information.

Is this fair? What about overseas companies passing off bogus information, what mechanisms exist for checking the validity of where the call is coming from? E.g.:

Russian-VoIP-ISP.com is a known VoIP despot who routes calls through some point to point in the US. That point to point routes it through Level3 down the chain, there is no mechanism I know of that can do reverse checking to validate that this number is coming from a legitimate source. Is this Level3's fault? Even if there were a mechanism in place, what happens on a failure when a provider has to route calls through another junction point?

> I presume from your comment that you, like others in the Internet/VoIP arena I have corresponded with, believe that the PSTN did everything wrong and that VoIP is doing everything correctly. 

I don't think the PSTN did anything worse or better than VoIP, in fact I would prefer to rely on the PSTN than VoIP for certain reasons. 1) With the PSTN, any utility company, emergency service company knows with 100% accuracy that a copper line with the number 12035551212 is coming from 1 Main Street, New Haven as opposed to VoIP's 12035551212 being registered via some pre-filled out form, stating at the point in time that the form was submitted, it was at 1 Main Street however, it truly might not be at that location anymore. Someone may have moved their ATA or server.

As for things VoIP has done better? The only thing that comes to me thusfar is saved someone money. Anyhow, I think this was a pretty good discussion on the topic, but bottom line if you ask me, Truth in Caller ID does nothing more than give a politician something to boast about during election time. Nothing more.


Sincerely,
Jesus Oquendo

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey