[VOIPSEC] [VoiceOps] Tackling VoIP fraud, new idea

Hiers, David David.Hiers at adp.com
Fri Feb 21 16:50:16 CST 2014 

Here's a model of limited membership, private, vetted information sharing:

https://www.infragard.org/

The notion of sharing your problems so you can learn from the problems of others is valid, but I'm not sure how well it works.

There are many non-technical drivers to keep things private; your stock price could take a hit, etc.

David


-----Original Message-----
From: Voipsec [mailto:voipsec-bounces at voipsa.org] On Behalf Of Mark R Lindsey
Sent: Friday, February 21, 2014 14:26
To: Fred Posner
Cc: voipsec at voipsa.org
Subject: Re: [VOIPSEC] [VoiceOps] Tackling VoIP fraud, new idea

Why would $BIG_CORPORATION allow disclosure of any breach they're not obligated to disclose? 

We know the most common way that home burglaries occur is to knock in the front door. And we talk about it openly. And we build better doors.

I'm with Fred Posner.

>>> mark at ecg.co +1-229-316-0013 http://ecg.co/lindsey

On Feb 21, 2014, at 17:20 , Fred Posner <fred at palner.com> wrote:

> The more difficult we make it to share information, the less information will get shared.
> 
> Personally, I'm in favor of an open forum, as the ideal way to attack fraud would be to bring any discussion into the sunlight -- again, just my seasoned opinion.
> 
> The more we discuss, the more they will change tactics. Which we will learn, discuss, and then they will again change tactics.
> 
> Fraud, at it's simplest description, is an exploitation of flaws. The more we harden our systems to prevent the exploitation of a flaw, the better we will be; the better VoIP will be.
> 
> I feel that the more cloaked these conversations will be, the more our systems and protocols will remain flawed.
> 
> I see the potential for fraudsters to see what we know, what we don't know (potentially), and to me... that's fine. When they realize we have found a certain scheme, they will move on to discover a new method.
> 
> --
> Fred Posner | The Palner Group, Inc.
> http://qxork.com
> 
> On 2/21/14, 5:04 PM, Gast, Jim wrote:
> > (Apologies if you got 2 copies . . . I had not been a subscriber to 
> > voipsec at voipsa.org<mailto:voipsec at voipsa.org> so my reply bounced!)
> >
> > Hi, team -
> >
> > In the early days of Public Key Infrastructure, we had easy ways to 
> > solve these trust questions.
> >
> > The list admin creates a public-key  / private-key pair called the 
> > LIST_CERT.  Giving anyone the LIST_CERT gives them both keys in the 
> > pair.
> >
> > The list admin creates a public-key / private-key pair called the 
> > VoIPSec Certificate Authority key-pair.  The public-key becomes 
> > publicly available, but the private key is NEVER GIVEN OUT to anyone.
> > The VoIPSec_CA_CERT contains the public-key, but NOT the 
> > private-key.
> >
> > To join the list, each participant must prove (once) that the email 
> > address they give us is authentic.  The new participant creates a 
> > personal key pair and gives ONLY the public key to the list 
> > administrator as a certificate signing request.  The new participant 
> > will then be given a CERTificate that signs his personal public key 
> > with the VoIPSec_CA key.
> >
> > Legitimate participants to the mailing list are given the LIST_CERT.
> > If someone does not have the LIST_CERT, eavesdroppers will be unable 
> > to decrypt emails on the list.
> >
> > All emails to the email list are SIGNED by an personal CERT (that is 
> > SIGNED by VoIPSec_CA) and the body of the email is also ENCRYPTED 
> > using the LIST_CERT.
> >
> > Since the signature will match, the email could only have come from 
> > that particular sender (and the body could not have been altered).
> > And the body of every email can be decrypted by any authentic list 
> > member.
> >
> > Does that work well?
> >
> > Cheers,
> >
> > / Jim Gast, TDS Telecom
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.

More information about the Voipsec mailing list