Re: [Asterisk-Users] VOIP Spam
Tom Green wrote: Some people have suggested maintaining black lists and white lists to avoid spammers and allow legitimate callers into the network. However, the problem with this method is that the spammer's IP address might change due to DHCP. Today a spammer might get aaa.bbb.ccc.ddd and lets say that I put this address in my blacklist. To my annoyance, tomorrow a legitimate caller might get aaa.bbb.ccc.ddd and the spammer might get a different IP address. In the end, I end up blocking the legitimate caller also. Any ideas or thoughts to on this problem is appreciated. A couple of discussion about this have come up, and something occurred to me about the FCC decision about free world dialup not being classified as a phone service. This opens the flood gates to telemarketers to FWD users as they don't have to honour any form of do not call list the FCC issues, which then of course leads on to other systems like IAXTEL with all voice data over the internet rather then pstn network... Also a possibly solution may have come out of the same discussions, technically if everyone enforces some kind of enum lookup before accepting calls, and the same enum lookup will return NAPTR records, so a slight modification to loop through all DNS records could then be checked against the current hostname/IP in a similar fashion to SPF records and mail servers... End result is a nice neat little database of blacklisted phone numbers rather then IPs, you'd need some resolution service/time-out period to remove the black listing, but lot harder to get new phone numbers then new IPs... PS We've come up with a patch to the enum lookup to return a Caller Name from a TXT record, appreciate any feedback, our c skills are a little rusty so it's possibly not the most elegant solution... http://bugs.digium.com/bug_view_page.php?bug_id=0001442 -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] VOIP Spam
At 8:32 AM -0700 on 4/15/04, Tom Green wrote: Hi, Some people have suggested maintaining black lists and white lists to avoid spammers and allow legitimate callers into the network. However, the problem with this method is that the spammer's IP address might change due to DHCP. Today a spammer might get aaa.bbb.ccc.ddd and lets say that I put this address in my blacklist. To my annoyance, tomorrow a legitimate caller might get aaa.bbb.ccc.ddd and the spammer might get a different IP address. In the end, I end up blocking the legitimate caller also. Any ideas or thoughts to on this problem is appreciated. Thanks, Tom I've read the rest of this thread about PKI, shared certs, etc. but I think that an important middle step is being missed by everyone. I believe strongly in the concept of end-to-end connectivity as the optimal method to ensure authentication and authorization between two user agents (web, voip, email, whatever.) However, it is often difficult to build such mechanisms that are easily used by the end user. Most end users will happily hand over the responsibility for protection against spam in any form to a central administrator, and I think that as a first step it is appropriate to move the smart stuff to a central server instead of to every user's desktop (though eventually there should be smart stuff on the desktop.) To this end: why is it _mandatory_ that all VOIP endpoints accept calls from other endpoints? Of course, you could filter based on some type of kludge-y network filters, but that is ugly and does not scale. SIP (and possibly IAX; I haven't looked at it much) have the ability to demand credentials from the remote host. Why don't we use these features? Here is my ideal world: When a SIP INVITE (or NOTIFY, or whatever) hits my desk SIP phone, it should refuse the message with a 401 Unauthorized message. Without correct credentials, messages simply aren't allowed past the threshhold of the SIP UA. This should be a configurable option on my SIP UA - maybe I have some reasons to allow all messages from all hosts at some time. However, most of the time I would want my SIP server (Asterisk, SER, whatever) to be in the path, and that smart gateway could do my blacklisting, authentication (PKI, etc.) and other tasks which would require more brains and more central administration. No SIP device that I've ever seen has the option to deny SIP messages from all but authenticated hosts. Why is that? Seems pretty obvious. It's always the other way around - SIP proxies allow or disallow messages according to authentication credentials (shared secret.) Since I've never seen this in place, perhaps it is the case that I am mis-understanding how authentication can possibly work with SIP between a UA and a proxy? JT ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] VOIP Spam
Duane wrote: Tom Green wrote: Brian, Encrypted SIP messages can be sent using TLS. However, I don't think it is realistic to expect everyone calling you to have a public/private key pair. I don't quite agree. SMTP servers that support SMTP-TLS and have valid certs + config do exactly that already... But I think Tom's point is that SMTP-TLS is not very common. However, a PKI for VoIP would be much easier, and much more manageable, than PKI for email. Each provider would have to maintain a key server that stored keys for their users. Then, a public, central registry of provider keys would be needed. The main challenge would be getting private keys into phones. Alice --- Alice's Provider (AP Co.) - Bob's Provider (BP Co.) Bob [Signed by Alice] [Alice's Verified Sig][Alice's Verified Sig] [Signed by AP Co.] [AP Co.'s Verified Sig] [Signed by BP Co.] In this system, Alice would sign and send her SIP messages to her provider's SIP proxy. Her provider, AP Co., proxy would verify the signature with its own key server, and, if valid, would sign it with the AP Co, key and pass it on to BP Co.'s proxy server. The BP Co. proxy could then check AP Co.'s signature, sign the message, and pass it to Bob. Bob, then, must only check that the message is signed by the user's provider. There are, of course, weaknesses in this plan. To name a few: 1. It's a chain of trust: it's hard for Bob to verify Alice's signature directly -Not impossible to fix 2. A central registry must be created that's free and open for providers to use but secure enough to verify members. -Think about the global IP address distribution agencies 3. Phones must get private keys securely. Nick ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] VOIP Spam
Nicholas Bachmann wrote: 1. It's a chain of trust: it's hard for Bob to verify Alice's signature directly -Not impossible to fix CAcert.org's whole purpose is cheap, easily obtainable security... It employs a web of trust in the website frame work to build up and distribute face to face identification checks... 2. A central registry must be created that's free and open for providers to use but secure enough to verify members. Again CAcert.org fulfils this criteria... -Think about the global IP address distribution agencies 3. Phones must get private keys securely. Last one is as much a technical issue as a people issue, although PIX firewalls implement (forget the acronym) where they send a request to a CA and the CA sends back a certificate, I keep meaning to implement it for CAcert but I lack a PIX for dev testing... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] VOIP Spam
Duane wrote: Nicholas Bachmann wrote: 1. It's a chain of trust: it's hard for Bob to verify Alice's signature directly -Not impossible to fix CAcert.org's whole purpose is cheap, easily obtainable security... It employs a web of trust in the website frame work to build up and distribute face to face identification checks... A web of trust is different from the chain of trust I'm talking about. In a web of trust, a key is signed by lots of different people; ideally, everybody can trust everybody. In a chain of trust, each member only knows and trusts the adjacent members. 2. A central registry must be created that's free and open for providers to use but secure enough to verify members. Again CAcert.org fulfils this criteria... Sort of... CAcert.org is a Certificate Authority. A CA just signs public keys, while a key server stores a copy of them. What I'm talking about is more like http://pgp.mit.edu/. -Think about the global IP address distribution agencies 3. Phones must get private keys securely. Last one is as much a technical issue as a people issue, although PIX firewalls implement (forget the acronym) where they send a request to a CA and the CA sends back a certificate, I keep meaning to implement it for CAcert but I lack a PIX for dev testing... But we're not looking at certificates; we're looking at public/private keypairs. Phones can generated the keypairs, but how does the phone prove to the key server that it is an authorized phone? With just a simple password? Nick ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] VOIP Spam
Nicholas Bachmann wrote: A web of trust is different from the chain of trust I'm talking about. In a web of trust, a key is signed by lots of different people; ideally, everybody can trust everybody. In a chain of trust, each member only knows and trusts the adjacent members. CAcert doesn't operate a web of trust in the PGP sense, for someone to issue trust points to other people they must already have a certain amount of trust points themselves. Both PKI and PGP models will fail, not because of the technology but because of the people factor. The PKI model *can* be to a larger is a slightly more resilient, in general no CA would have reason to issue false certificates and *usually* you can be sure more are issued on a correct basis. PGP model if you lived in say Africa and wanted to communicate with someone in South America with little or no prior relationship and you wanted to be sure the communication wouldn't be intercepted you have 2 choices, fly to meet each other or gain trust you both are who you say you are from an impartial 3rd party that if it did it's job correct would be correct. *BUT*, and it's a very big but, there is 2 or 3 flaws in the PKI model, firstly there is a crap load of money usually involved, where there is money there is usually corruption, at this stage of the game the PKI industry has had very little over all impact, something like 0.3% of web servers (not websites) are protected with a valid certificate issued by a valid CA, the number of invalid and self signed and non-valid signed certificates is closer to 1.3%. There are a lot of websites that should use some form of crypto to protect against passive listening. Another major flaw is PKI based on issued certificates from any CA would be worthless in protecting a person in the country where governments repress free speech by arresting and killing their citizens. In the UK I believe the government has laws in place so they can demand your private key, and the US could coerce by legal means to force CAs to issue false certificates and then stick a gag order of them. PGP model would obviously be an advantage in this case, but most people don't have a clue about security practises and get so many pop-up warning messages they simply click ok to whatever comes up. The other flaw is safe keeping of certificates, unless you have a hardware device, the more difficult you make it for someone to break digital security will only make them turn round and break physical security... Passwords are inherently bad and there are numerous articles on people giving their work/email passwords away for a cheap pen... Sort of... CAcert.org is a Certificate Authority. A CA just signs public keys, while a key server stores a copy of them. What I'm talking about is more like http://pgp.mit.edu/. Working on it, we actually have a finger daemon setup/running to reply with certificates if you send it a exact request that matches an entry in the database, weather hostname or email address... I've penned an internet-draft on what we've done which can be read here: http://www.cacert.org/index.php?id=26prob=8 I keep meaning to post it to the IETF as a informational document... But we're not looking at certificates; we're looking at public/private keypairs. Phones can generated the keypairs, but how does the phone prove to the key server that it is an authorized phone? With just a simple password? The PIX sends a certificate signing request and holds onto the private key, the CA then replies with a signed certificate and the PIX stores that with the private key... When grabbing a certificate it doesn't matter if it's authorised to or not, because it has the private key so only it can decode data sent to it using the public certificate... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] VOIP Spam
On Sun, Apr 18, 2004 at 09:31:48AM +1000, Duane spake thusly: be sure more are issued on a correct basis. PGP model if you lived in say Africa and wanted to communicate with someone in South America with little or no prior relationship and you wanted to be sure the communication wouldn't be intercepted you have 2 choices, fly to meet each other or gain trust you both are who you say you are from an impartial 3rd party that if it did it's job correct would be correct. I prefer the PGP model because it includes the CA model. That is to say that you can still have a CA within the PGP model. Both myself and my colleague from Africa could pay a central CA we both trust (Verisign, Thawte, whoever) to sign our keys and connect us in the web of trust. *BUT*, and it's a very big but, there is 2 or 3 flaws in the PKI model, firstly there is a crap load of money usually involved, where there is money there is usually corruption, at this stage of the game the PKI industry has had very little over all impact, something like 0.3% of web Yep. We end up with collusion which prevents competition in the CA space. It's a shame common browsers only support a few select CA's. PGP model would obviously be an advantage in this case, but most people don't have a clue about security practises and get so many pop-up warning messages they simply click ok to whatever comes up. I think huge improvements are needed in software to handle this. We really need to encourage everyone to use signatures etc. and make them so prevalent that email programs etc. will simply refuse to accept or display non-signed and authenticated messages/connections/whatever. The other flaw is safe keeping of certificates, unless you have a hardware device, the more difficult you make it for someone to break digital security will only make them turn round and break physical security... Indeed but that is a far better situation than we are in now. We know very well how to deal with physical security due to thousands of years of doing so. -- Tracy Reed The attachment is a digital signature. http://copilotconsulting.com More info: http://copilotconsulting.com/sig pgp0.pgp Description: PGP signature
Re: [Asterisk-Users] VOIP Spam
Tracy R Reed wrote: I prefer the PGP model because it includes the CA model. That is to say that you can still have a CA within the PGP model. Both myself and my colleague from Africa could pay a central CA we both trust (Verisign, Thawte, whoever) to sign our keys and connect us in the web of trust. Just a little matter of key distribution, how do you know the CA key given to you is actually the CA? Especially since Thawte no longer does PGP key signing and verisign is making too much money from PKI... The are a number of issues with the PGP model, it contains an email address, how do you match that against a hostname? As far as I know there is no hardware devices to store pgp keys, or accelerator cards (crypto does chew through a bit of CPU) both devices exist for PKI certificates/keys... Yep. We end up with collusion which prevents competition in the CA space. It's a shame common browsers only support a few select CA's. Mozilla Foundation, it's developers and direct support staff (paid/unpaid) are currently reviewing about a dozen or so CAs for inclusion in their browser, CAcert is one of them, which will be good for the community if we can get in, as we provide all certificates for free... I think huge improvements are needed in software to handle this. We really need to encourage everyone to use signatures etc. and make them so prevalent that email programs etc. will simply refuse to accept or display non-signed and authenticated messages/connections/whatever. This would be good and bad, if you force the issue you will end up with 2 things, less people being able to email you, and in the very long term encrypted spam so we end up with them beating scanners that way... It's a balancing act, push things one way you have to even them up the other... There will be 3 consequences from mass encryption adoption, encrypted spam, and forcing governments to do due diligence as they will no longer be able to simply passively collect any traffic passing their monitoring devices, they'd have to go back to a situation of only targeting people they really had to, this is obviously a good thing, and even the encrypted spam, while being annoying would tick any gov surveillance off due to sheer number of spam messages that could be encrypted that would be the equivalent of noise to them... 3rd is a little more serious, since most people wouldn't care about due diligence with crypto they wouldn't care if they did it right or who they accepted, this is clearly visible from the latest virus trends where they exploit human ignorance, greed and stupidity not exploiting computer software. What else could it be called where a person opens a zip file, uses a password in the email, and runs the program in the zip file infecting themselves... So I foresee a lot of missuses from crypto as much as anything else if/when the general populace gets into it... Indeed but that is a far better situation than we are in now. We know very well how to deal with physical security due to thousands of years of doing so. So that's why people still get broken into and all their contents stolen :) -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] VOIP Spam
On Sun, Apr 18, 2004 at 10:22:08AM +1000, Duane spake thusly: Just a little matter of key distribution, how do you know the CA key given to you is actually the CA? Especially since Thawte no longer does PGP key signing and verisign is making too much money from PKI... Same way I know someones key is theirs by the pgp fingerprint. It's well publicized and they use it quite a bit. The are a number of issues with the PGP model, it contains an email address, how do you match that against a hostname? As far as I know there is no hardware devices to store pgp keys, or accelerator cards (crypto does chew through a bit of CPU) both devices exist for PKI certificates/keys... Not sure what you mean by matching an email address against a hostname but a lot of the crypto accelerator cards implement fundamentals that could be used in either system and more specific hardware devices would certainly come along if more people used it. But with the speed and SIMD capability modern cpu's I'm not too concerned either way. Mozilla Foundation, it's developers and direct support staff (paid/unpaid) are currently reviewing about a dozen or so CAs for inclusion in their browser, CAcert is one of them, which will be good for the community if we can get in, as we provide all certificates for free... Very cool. This would be good and bad, if you force the issue you will end up with 2 things, less people being able to email you, and in the very long term encrypted spam so we end up with them beating scanners that way... If the MUA authors forced the issue everyone would use crypto. Look at what Outlook did for html mail. Encrypted spam would be difficult for the spammers to do. It would consume huge resources, make spam a lot more expensive, and if they signed the spam with a trusted key such that my MUA trusted them you can be sure the signer would revoke his signature lest he get the signatures on his own key revoked by someone. and runs the program in the zip file infecting themselves... So I foresee a lot of missuses from crypto as much as anything else if/when the general populace gets into it... Some very interesting points. Especially about encrypted spam confounding the government. Although I doubt they would encrypt spam it does add chaff to the wheat to help hide us all. Just like the everyone sending their letters in envelopes instead of on postcards analogy. So that's why people still get broken into and all their contents stolen :) On a per capita basis it's not nearly as often as computers get broken into. :) Whenever anyone bothers to try to physically secure their stuff they usually do a pretty good job. Not so with computers. -- Tracy Reed The attachment is a digital signature. http://copilotconsulting.com More info: http://copilotconsulting.com/sig pgp0.pgp Description: PGP signature
Re: [Asterisk-Users] VOIP Spam
Tracy R Reed wrote: Same way I know someones key is theirs by the pgp fingerprint. It's well publicized and they use it quite a bit. But have you ever met face to face with an employee from a CA and verified they were an employee or just grabbed the info from their website and assumed there was no man in the middle attack sending you an alternate key/fingerprint (yes I know this is highly unlikely however high profile targets would be possible at some point, how lucky do you feel? :) Not sure what you mean by matching an email address against a hostname but a lot of the crypto accelerator cards implement fundamentals that could be used in either system and more specific hardware devices would certainly come along if more people used it. But with the speed and SIMD capability modern cpu's I'm not too concerned either way. If we make up some number, I have seen figures for websites can't seem to find them at present, anyways say a TLS/SSL operation uses 8x more CPU power then a non-TLS connection, this means if you are running a voip to pstn service or in an office environment with a large amount of handsets/calls you need 8x more servers or 8x less clients so there is definitely a cost involved there even if CPUs etc are cheaper... As for hostname matching, you run an enum check on a phone number, it returns a URL... say iaxtel.com... you connect to it and it then says I'm able to provide encryption here is my public certificate, you grab the certificate and it has [EMAIL PROTECTED], which doesn't match iaxtel.com, or even if it was [EMAIL PROTECTED] how do you know that email account should be able to say I validate this server is the one you should be talking to and that DNS hasn't been hijacked? PGP can't easily deal with this, and if you start connecting to foreign asterisk servers via enum services how can you validate them without prior relationships? While PKI may be flawed it is better then the current alternatives at present... Umm just a side note, we have a working enum.164 website/dns ( http://e164.org ) service that now does pstn verification (due diligence) by calling you and reading out a pin number, currently a little rough and we need a few IVR records (which will within the next few days), and need to update the documentation on the website, however it does seem to work reasonably well... If the MUA authors forced the issue everyone would use crypto. Look at what Outlook did for html mail. Encrypted spam would be difficult for the spammers to do. It would consume huge resources, make spam a lot more expensive, and if they signed the spam with a trusted key such that my MUA trusted them you can be sure the signer would revoke his signature lest he get the signatures on his own key revoked by someone. Most HTML emails have a non-html component as well, and the amount of people that dislike html emails I don't see this as a good comparison ;) You can't enforce crypto from a MTA/MUA point of view, there is a whole bunch of complications if you force certificates on people like you'd have to get them a public/private key pair and then well it wouldn't be so private... Some very interesting points. Especially about encrypted spam confounding the government. Although I doubt they would encrypt spam it does add chaff to the wheat to help hide us all. Just like the everyone sending their letters in envelopes instead of on postcards analogy. The reason they would is to beat the virus/spam filters currently in operation at a MTA level, they would be rendered useless, at present all you need is a valid email address to get a certificate issued from a CA with their root certificate in most/all current email clients... On a per capita basis it's not nearly as often as computers get broken into. :) Whenever anyone bothers to try to physically secure their stuff they usually do a pretty good job. Not so with computers. maybe cars being stolen was a better suggestion, break a window and you're in unless they have an alarm (computers can also have alarms in this sense) -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] VOIP Spam
On Sun, Apr 18, 2004 at 11:13:27AM +1000, Duane spake thusly: But have you ever met face to face with an employee from a CA and verified they were an employee or just grabbed the info from their website and assumed there was no man in the middle attack sending you an alternate key/fingerprint (yes I know this is highly unlikely however high profile targets would be possible at some point, how lucky do you feel? :) No, I haven't. And you are right it is highly unlikely. Knowing that someone was going to want to get a key signed, putting the bogus info where they would find it, tricking someone into calling you and giving them a bogus key, etc. is all very difficult. I think we are going to have to give up the notion of 100% security and accept the very small chance (orders of magnitude smaller than now) of someone being fooled if we ever want to get this stuff deployed. If we make up some number, I have seen figures for websites can't seem to find them at present, anyways say a TLS/SSL operation uses 8x more CPU power then a non-TLS connection, this means if you are running a voip to pstn service or in an office environment with a large amount of handsets/calls you need 8x more servers or 8x less clients so there is definitely a cost involved there even if CPUs etc are cheaper... Since most cpu's out there in the world spend 80% of their time idle doing nothing anyway I don't think it would be quite this bad. :) As for hostname matching, you run an enum check on a phone number, it returns a URL... say iaxtel.com... you connect to it and it then says Ah. I haven't given too much thought about how it interacts with phone systems yet. I'll ponder this one. Umm just a side note, we have a working enum.164 website/dns ( http://e164.org ) service that now does pstn verification (due diligence) by calling you and reading out a pin number, currently a little rough and we need a few IVR records (which will within the next few days), and need to update the documentation on the website, however it does seem to work reasonably well... Very cool. I am reading up on this stuff. Most HTML emails have a non-html component as well, and the amount of people that dislike html emails I don't see this as a good comparison ;) Indeed. It was just an example of the mail vendors successfully forcing something on everyong. You can't enforce crypto from a MTA/MUA point of view, there is a whole bunch of complications if you force certificates on people like you'd have to get them a public/private key pair and then well it wouldn't be so private... That is fine. The mail administrator can read everything they type into the server anyhow. He can bug their keyboard if he wants. The reason they would is to beat the virus/spam filters currently in operation at a MTA level, they would be rendered useless, at present all you need is a valid email address to get a certificate issued from a CA with their root certificate in most/all current email clients... I doubt they would because it would make spamming much more expensive. Some might but it makes it much less likely and kills their profits which removes the incentive. -- Tracy Reed The attachment is a digital signature. http://copilotconsulting.com More info: http://copilotconsulting.com/sig pgp0.pgp Description: PGP signature
Re: [Asterisk-Users] VOIP Spam
Tracy R Reed wrote: No, I haven't. And you are right it is highly unlikely. Knowing that someone was going to want to get a key signed, putting the bogus info where they would find it, tricking someone into calling you and giving them a bogus key, etc. is all very difficult. I think we are going to have to give up the notion of 100% security and accept the very small chance (orders of magnitude smaller than now) of someone being fooled if we ever want to get this stuff deployed. ongoing man in the middle attacks aren't impossible, the FBI's carnivore system is all over the place and in theory could not only sniff but inject... Then again there are other methods at the disposal of governments... Since most cpu's out there in the world spend 80% of their time idle doing nothing anyway I don't think it would be quite this bad. :) What about asterisk servers that are already under load, this would multiply the effect, yes most servers would idle most of the time, but if you have periods of peak activity this would compound any existing problems you get from this... Ah. I haven't given too much thought about how it interacts with phone systems yet. I'll ponder this one. I believe there is an RFC on PGP use in browsers, I don't know of anyone actually implementing it however... Very cool. I am reading up on this stuff. We wanted a method of dynamic routing so we didn't have an ever growing list of extensions and IAX/SIP items not to mention getting away from single points of failure that if a service is down you're out of luck, it seemed like enum.164 is the only solution to this problem. We wanted to do things in such away we could be relatively certain the person we were calling was who we were expecting and not a telemarketer etc etc that had hijacked a heap of numbers... As far as I'm aware no other enum system (even ITU's) currently implements anything that comes close to what we were after... Indeed. It was just an example of the mail vendors successfully forcing something on everyong. The thing is it didn't stop normal text posts, so yes it tacked added functionality on top without denying the existing system, you're suggestion doesn't take that into account... That is fine. The mail administrator can read everything they type into the server anyhow. He can bug their keyboard if he wants. Not if you encrypt email at the mail client... He can't bug a remote keyboard... Some of the PKI hardware devices are implemented in a keyboard and when access the certificate the keyboard direct key strokes directly to the hardware reader rather then via the PC... I doubt they would because it would make spamming much more expensive. Some might but it makes it much less likely and kills their profits which removes the incentive. What cost? It's trivial to generate both PGP and self signed PKI keys using openssl toolkit, spammers could easily pay someone to grab a new domain/email/certificate daily, $10 in wages? If they get $1000 in profit from $10 in expenses they'd do it... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] VOIP Spam
Hi, Some people have suggested maintaining black lists and white lists to avoid spammers and allow legitimate callers into the network. However, the problem with this method is that the spammer's IP address might change due to DHCP. Today a spammer might get aaa.bbb.ccc.ddd and lets say that I put this address in my blacklist. To my annoyance, tomorrow a legitimate caller might get aaa.bbb.ccc.ddd and the spammer might get a different IP address. In the end, I end up blocking the legitimate caller also. Any ideas or thoughts to on this problem is appreciated. Thanks, Tom __ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] VOIP Spam
Tom Green wrote: Hi, Some people have suggested maintaining black lists and white lists to avoid spammers and allow legitimate callers into the network. However, the problem with this method is that the spammer's IP address might change due to DHCP. Today a spammer might get aaa.bbb.ccc.ddd and lets say that I put this address in my blacklist. To my annoyance, tomorrow a legitimate caller might get aaa.bbb.ccc.ddd and the spammer might get a different IP address. In the end, I end up blocking the legitimate caller also. Any ideas or thoughts to on this problem is appreciated. Thanks, Tom __ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users Yeah, for a relatively modern protocol SIP has some surprisingly glaring omissions, such as: - certificate based authentication - encryption - NAT-awareness -brian ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] VOIP Spam
Brian Cuthie wrote: Yeah, for a relatively modern protocol SIP has some surprisingly glaring omissions, such as: - certificate based authentication - encryption - NAT-awareness I'd love nothing more to see some decent crypto in the IAX2 protocol, it already covers the third item on your list... Especially with government agencies so eager to get their mits into voip tapping, why make it any easier on them... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] VOIP Spam
Brian, Encrypted SIP messages can be sent using TLS. However, I don't think it is realistic to expect everyone calling you to have a public/private key pair. Cryptographic solutions have been suggested for email spams also but they have been found to be ineffective because of scalability problems. I looking for a spam control solution that avoids cryptography (I prefer non-cryptographic solutions but I am open to new ideas). Thanks, Tom. --- Brian Cuthie [EMAIL PROTECTED] wrote: Tom Green wrote: Hi, Some people have suggested maintaining black lists and white lists to avoid spammers and allow legitimate callers into the network. However, the problem with this method is that the spammer's IP address might change due to DHCP. Today a spammer might get aaa.bbb.ccc.ddd and lets say that I put this address in my blacklist. To my annoyance, tomorrow a legitimate caller might get aaa.bbb.ccc.ddd and the spammer might get a different IP address. In the end, I end up blocking the legitimate caller also. Any ideas or thoughts to on this problem is appreciated. Thanks, Tom __ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users Yeah, for a relatively modern protocol SIP has some surprisingly glaring omissions, such as: - certificate based authentication - encryption - NAT-awareness -brian ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users __ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] VOIP Spam
Tom Green wrote: Brian, Encrypted SIP messages can be sent using TLS. However, I don't think it is realistic to expect everyone calling you to have a public/private key pair. SMTP servers that support SMTP-TLS and have valid certs + config do exactly that already... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] VoIP Spam (was VoYP.Net)
Luckily VoIP telemarketing is much higher sender/recipient (bandwidth/resource) expense ratio than email spam.. Until of course they figure out how to make VoIP-spam worms to infect a bunch of windows boxes. I bet that VoIP spammers will have the same immpecable ethical standards as their email counterparts, making it difficult to implement do-not-call for voip. Databases aside, nothing prevents them from 'wardialing' sip @fwd.pulver.com or other providers to build telemarketing lists. I suppose it's a looming issue that'll only be a matter of time before becoming serious. Press 1 for viagra, 2 for male enhancement, or 3 for girls-gone-wild. -- Greg Greg Retkowski / I.T. Infrastructure Consultant /)/|//` [EMAIL PROTECTED] http://www.rage.net/~greg/ C:408-455-3913 /|/ /_/ On Mon, 15 Mar 2004, Matt Riddell wrote: Only problem I can see if that currently, I can search for a or e etc...if this gives me a list of urls/numbers, what is to stop me feeding them into a database to telemarket to them? As far as I'm aware there is no internation Do Not Call registry for internet based calls... Anyone know anymore about this? Anyone keen to help with this? Would it be worthwhile? Is there another? Kind regards, Matt P.S. I don't really want to do it but someone should and if noone else wants to, I will... ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] VoIP Spam (was VoYP.Net)
One of the telemarketing companies I work for uses VOIP for everything, so bandwidth isn't an issue (they are terminating to PSTN in other countries). Having sent the post I realised that DNC registries are controlled by individual countries' law and so making a worldwide one would be next to impossible to enforce. If one country decided it would get more money by not prosecuting people (who call without first scubbing against dnc), it would get more business. So...I guess in the end, unless we have a worldwide police force etc, it's not going to happen. Matt - Original Message - From: Greg Retkowski [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 15, 2004 4:02 PM Subject: Re: [Asterisk-Users] VoIP Spam (was VoYP.Net) Luckily VoIP telemarketing is much higher sender/recipient (bandwidth/resource) expense ratio than email spam.. Until of course they figure out how to make VoIP-spam worms to infect a bunch of windows boxes. I bet that VoIP spammers will have the same immpecable ethical standards as their email counterparts, making it difficult to implement do-not-call for voip. Databases aside, nothing prevents them from 'wardialing' sip @fwd.pulver.com or other providers to build telemarketing lists. I suppose it's a looming issue that'll only be a matter of time before becoming serious. Press 1 for viagra, 2 for male enhancement, or 3 for girls-gone-wild. -- Greg Greg Retkowski / I.T. Infrastructure Consultant /)/|//` [EMAIL PROTECTED] http://www.rage.net/~greg/ C:408-455-3913 /|/ /_/ On Mon, 15 Mar 2004, Matt Riddell wrote: Only problem I can see if that currently, I can search for a or e etc...if this gives me a list of urls/numbers, what is to stop me feeding them into a database to telemarket to them? As far as I'm aware there is no internation Do Not Call registry for internet based calls... Anyone know anymore about this? Anyone keen to help with this? Would it be worthwhile? Is there another? Kind regards, Matt P.S. I don't really want to do it but someone should and if noone else wants to, I will... ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users