Re: Phishing and telemarketing telephone calls

[Jay Hennigan]

On 4/24/20 16:26, Matthew Black wrote:
Has anyone else noticed a steep decline in annoying phone calls since 
the FCC threatened legal action against three major VOIP gateways if 
they didn’t make efforts to prevent Caller ID spoofing from scammers?


Not particularly. The car warranty and credit card robocallers are still 
very much at it.


--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

Re: Phishing and telemarketing telephone calls

[Dovid Bender]

STIR/SHAKEN?

On Mon, Apr 27, 2020, 14:34 Michael Thomas  wrote:

>
> On 4/27/20 11:12 AM, Jon Lewis wrote:
> > On Mon, 27 Apr 2020, William Herrin wrote:
> >
> >> On Sat, Apr 25, 2020 at 7:32 PM Matthew Black
> >>  wrote:
> >>> Good grief, selling a kit for $47. Since all robocalls employ Caller
> >>> ID spoofing, just how does one prove who called?
> >>
> >> You don't. AFAICT, that's the point of Anne's comments. Finding them
> >> is good enough. Paying off anyone who both finds them and appears well
> >> connected with the law is cheaper than allowing the legal system to
> >> become aware of their identities and activity.
> >>
> >> Blackmail 101 dude. Find someone with a secret and demand payment for
> >> your silence. The best part is that if you're legitimately entitled to
> >> the money because of the secret then it's not technically blackmail.
> >>
> >> Presumably the meat of the $47 kit is about how to tease out enough
> >> clues to search public records and identify them.
> >
> > In my experience, the caller-id is always forged, and the call center
> > reps hang up or give uselessly vague answers if I ask what company
> > they're calling from.  I suspect the only sure way to identify them is
> > to do business with them, i.e. buy that extended warranty on your car,
> > or at least start walking through the process until either payment is
> > made or they tell you who you'll have to pay.  I wonder, if you agree
> > to buy the extended warranty, solely for the purpose of identifying
> > them, can you immediately cancel it / dispute the charge?
> >
> > Then there are the 100% criminal ones calling from "Windows Technical
> > Support" who want to trick you into giving them remote admin access to
> > your PC.  I assume that's a dry well and the best you can hope to do
> > is waste as much of their time as yours and see how foul a mouth they
> > have.
> >
> On the IETF list, I've been making the case that a DKIM-like solution
> for SIP signalling would in fact give you the way to blame somebody,
> which was DKIM's entire raison d'etre. Who cares what the actual fake
> e.164 address is and whether the sending domain is allowed to assert it
> or not? That is rather beside the point. All I care is that the
> originating domain is supporting abuse, and I know what the domain is to
> complain to, ignore, etc.
>
> Mike
>
>
>

Re: Phishing and telemarketing telephone calls

[William Herrin]

On Mon, Apr 27, 2020 at 11:12 AM Jon Lewis  wrote:
> I suspect the only sure way to identify them is to do
> business with them, i.e. buy that extended warranty on your car, or at
> least start walking through the process until either payment is made or
> they tell you who you'll have to pay.  I wonder, if you agree to buy the
> extended warranty, solely for the purpose of identifying them, can you
> immediately cancel it / dispute the charge?

Hmm. I wonder... if you get a one-time credit card number from your
bank and limit it to $1, do you get a charge declined message in your
log identifying the merchant?

-Bill



-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: Phishing and telemarketing telephone calls

[bzs]

The obvious way to id them is to buy whatever it is they are selling.

So that reduces the problem to being able to cancel the transaction
once id'd, and probably using fraudulent credentials.

It might take a little more strategy than what I just described, there
are other potential pitfalls.

I wouldn't suggest that route to amateurs but it's not quite rocket
surgery.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

NANOG 79 will be a virtual meeting 👉

[NANOG Marketing]

*NANOG 79 will now be held as a virtual meeting — the in-person meeting in
Boston has been canceled.*

Due to the COVID-19 global pandemic, the NANOG Board of Directors and Staff
have decided to cancel the in-person meeting in Boston. To ensure the
safety of our community, NANOG 79  will
now be held as a three-day virtual meeting, June 1-3, with an abridged
program. Online registration and meeting details will be posted soon.

Both speakers and attendees will participate remotely. The NANOG Program
Committee is developing a program tailored to an online format, and has
extended the Call For Presentations to May 7
.

All attendees registered for NANOG 79 in Boston should have been issued
refunds by Friday, April 24, and Marriott Boston Copley Place
 will
auto-cancel any rooms booked under the NANOG 79 hotel-room block. If the
hotel did not cancel your reservation, or if you have further questions,
please contact the hotel directly at +1-617-236-5800.

We will announce when registration opens, and share program topics and
highlights soon. Please contact us with any additional questions or
concerns: nanog-supp...@nanog.org

Sincerely,
The NANOG Board of Directors and Staff

Re: Phishing and telemarketing telephone calls

[Michael Thomas]

On 4/27/20 11:12 AM, Jon Lewis wrote:

On Mon, 27 Apr 2020, William Herrin wrote:

On Sat, Apr 25, 2020 at 7:32 PM Matthew Black 
 wrote:
Good grief, selling a kit for $47. Since all robocalls employ Caller 
ID spoofing, just how does one prove who called?


You don't. AFAICT, that's the point of Anne's comments. Finding them
is good enough. Paying off anyone who both finds them and appears well
connected with the law is cheaper than allowing the legal system to
become aware of their identities and activity.

Blackmail 101 dude. Find someone with a secret and demand payment for
your silence. The best part is that if you're legitimately entitled to
the money because of the secret then it's not technically blackmail.

Presumably the meat of the $47 kit is about how to tease out enough
clues to search public records and identify them.


In my experience, the caller-id is always forged, and the call center 
reps hang up or give uselessly vague answers if I ask what company 
they're calling from.  I suspect the only sure way to identify them is 
to do business with them, i.e. buy that extended warranty on your car, 
or at least start walking through the process until either payment is 
made or they tell you who you'll have to pay.  I wonder, if you agree 
to buy the extended warranty, solely for the purpose of identifying 
them, can you immediately cancel it / dispute the charge?


Then there are the 100% criminal ones calling from "Windows Technical 
Support" who want to trick you into giving them remote admin access to 
your PC.  I assume that's a dry well and the best you can hope to do 
is waste as much of their time as yours and see how foul a mouth they 
have.


On the IETF list, I've been making the case that a DKIM-like solution 
for SIP signalling would in fact give you the way to blame somebody, 
which was DKIM's entire raison d'etre. Who cares what the actual fake 
e.164 address is and whether the sending domain is allowed to assert it 
or not? That is rather beside the point. All I care is that the 
originating domain is supporting abuse, and I know what the domain is to 
complain to, ignore, etc.


Mike

Re: Phishing and telemarketing telephone calls

[Jon Lewis]

On Mon, 27 Apr 2020, William Herrin wrote:


On Sat, Apr 25, 2020 at 7:32 PM Matthew Black  wrote:

Good grief, selling a kit for $47. Since all robocalls employ Caller ID 
spoofing, just how does one prove who called?


You don't. AFAICT, that's the point of Anne's comments. Finding them
is good enough. Paying off anyone who both finds them and appears well
connected with the law is cheaper than allowing the legal system to
become aware of their identities and activity.

Blackmail 101 dude. Find someone with a secret and demand payment for
your silence. The best part is that if you're legitimately entitled to
the money because of the secret then it's not technically blackmail.

Presumably the meat of the $47 kit is about how to tease out enough
clues to search public records and identify them.


In my experience, the caller-id is always forged, and the call center reps 
hang up or give uselessly vague answers if I ask what company they're 
calling from.  I suspect the only sure way to identify them is to do 
business with them, i.e. buy that extended warranty on your car, or at 
least start walking through the process until either payment is made or 
they tell you who you'll have to pay.  I wonder, if you agree to buy the 
extended warranty, solely for the purpose of identifying them, can you 
immediately cancel it / dispute the charge?


Then there are the 100% criminal ones calling from "Windows Technical 
Support" who want to trick you into giving them remote admin access to 
your PC.  I assume that's a dry well and the best you can hope to do is 
waste as much of their time as yours and see how foul a mouth they have.


--
 Jon Lewis, MCP :)   |  I route
 StackPath, Sr. Neteng   |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: mail admins?

[Bradley Raymo]

Bill,

The NANOG website has been recently updated. The information you are looking 
for can be found under resources ->  Nanog mailing list -> Usage Guidelines.

https://nanog.org/resources/usage-guidelines/ 


The email address to contact the mail admins mailman [at] nanog.org 


Thanks
Brad Raymo
NANOG PC

> On Apr 21, 2020, at 2:11 PM, William Herrin  wrote:
> 
> Howdy,,
> 
> How do we contact the nanog mail admins? I looked at
> https://archive.nanog.org/list and https://archive.nanog.org/list/faq
> but apparently someone thought it'd be clever to redact all the email
> addresses from that page. "Questions should be directed to[email
> protected]."
> 
> Thanks,
> Bill Herrin
> 
> 
> -- 
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/

ATT Watch TV Contact

[Dennis Burgess via NANOG]

If a watch TV contact, or if you have a technical contact, would contact me 
off-list that would be great.

I have a new IP block that is not working with ATT Watch TV app.


[LTI-Full_175px]
Dennis Burgess, Mikrotik Certified Trainer
MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE, MTCSE, HE IPv6 Sage, Cambium ePMP Certified
Author of "Learn RouterOS- Second Edition"
Link Technologies, Inc -- Mikrotik & WISP Support Services
Office: 314-735-0270  Website: 
http://www.linktechs.net
Create Wireless Coverage's with www.towercoverage.com

Re: Phishing and telemarketing telephone calls

[Michael Thomas]

On 4/27/20 9:15 AM, Anne P. Mitchell, Esq. wrote:

What exactly is this "basic internet research"? I thought the big problem is 
that they are trivially capable of covering their tracks.

There is always a money trail.  Always.  Because the whole point of these 
calls/sms messages is to get money out of you.  And the money trail almost 
always provides a nexus to the U.S. (or whatever country you are in).

In the case of spam calls, you do have to get a bit creative (and actually 
interact with the spammers on the phone...e), to try to get them to give up 
on whose behalf they are working.  In the case of text message spam, it's often 
much easier because there will often be a link to a website, which, yeah, is 
likely a front for another website, but hey, if you are part of NANOG, 
following those trails should be trivially easy.

In the case of the outfit that just coughed up the $1000 to me, it was a text 
message spam that was ostensibly about one product, but the url in the text 
message actually forwarded through two intermediate urls to land on a site 
hawking a completely unrelated product - no big surprise there  (this was nice 
because I was also able to accuse them of violating laws about misleading 
advertising ;-) ).  Even with whois basically being useless now in terms of 
figuring out who is behind stuff, it was pretty easy to figure out who exactly 
stood to profit from my buying what was advertised on the landing site.

As it happened, when I contacted them, they (rather surprisingly) referred me 
to their lawyer - which turned out to be great because he understood 
immediately the predicament they were in. :~)


From everything i've read, the complexity of finding them is directly 
related to their cost of doing business. If they can get by with few 
layers of indirection, they do. If they need more, they will. You can be 
guaranteed that they will add layers if they need to. Which is to say, I 
don't see how this scales to actually reduce these scams.


Mike

Re: mail admins?

[Michael Thomas]

On 4/27/20 8:35 AM, William Herrin wrote:

On Mon, Apr 27, 2020 at 7:14 AM Michael Thomas  wrote:

On 4/26/20 8:39 PM, Matt Palmer wrote:

On Sun, Apr 26, 2020 at 05:10:56PM -0700, Michael Thomas wrote:

Which exactly zero deployment. And you need to store the plain-text password
on the server side. What could possibly go wrong?

But you said that *passwords on the wire* were the biggest problem.  Digest
auth solves that.  Also, you don't have to store the plain-text password.

Correct. You need only store the realm/user/password digest. The chief
problem with digest authentication is that the web site has no control
over the UI. Among the many issues, this makes it tricky to reliably
capture a digest in the first place without the server at least
briefly knowing the password. I don't know if webauthn corrects this
or makes similar blunders.


Webauthn corrects this by not using passwords at all. It uses public key 
crypto which has the nice property that the thing that the server 
remembers is, um, public. A compromise of public keys -- unlike unsalted 
password hashes in the LinkedIn case -- does no harm. That was the 
insight that Paul, Steven and I had with RFC 7486 back in 2012, as we 
mashed together two different ways going about that in our experimental 
rfc.


I'll stand by my initial stance: passwords over the wire remain the 
largest security hole on the net because their reuse means you only have 
to target the weakest sites to harvest them. Worse, you can create an 
active attack to get people to just give you their passwords by setting 
up some interesting site that requires an account whose actual purpose 
is to harvest passwords. Digest does exactly nothing to deal with that 
problem.


Also, says wikipedia about digest:


 Disadvantages[edit
 
]

There are several drawbacks with digest access authentication:

 * The website has no control over the user interface presented to the
   end user.
 * Many of the security options inRFC 2617
   are optional. If
   quality-of-protection (qop) is not specified by the server, the
   client will operate in a security-reduced legacyRFC 2069
   mode
 * Digest access authentication is vulnerable to aman-in-the-middle
   (MITM) attack
   . For
   example, a MITM attacker could tell clients to use basic access
   authentication or legacy RFC2069 digest access authentication mode.
   To extend this further, digest access authentication provides no
   mechanism for clients to verify the server's identity
 * Some servers require passwords to be stored using reversible
   encryption. However, it is possible to instead store the digested
   value of the username, realm, and password^[5]
   

 * It prevents the use of a strong password hash (such asbcrypt
   ) when storing passwords
   (since either the password, or the digested username, realm and
   password must be recoverable)


So my memory doesn't seem to be completely wrong here. It's been ages 
since I've thought about digest.





I can't speak to Steven, Paul, the w3c or any other non-posters to
this thread that you wish to employ in an appeal to authority fallacy
but with due respect, I think you hold a myopic view of network
security. For better or worse, security is a zero-sum game. The budget
stays proportional to the value of the asset being protected. When you
spend it on low-impact improvements you don't have it for the many
improvements with a higher impact than whether a web site knows the
password you chose for that web site.

With webcrypto, you can do whatever you want these days, and use 
whatever UI you want. Webauthn is primarily about replacing user-facing 
passwords from what I can tell, but it seems like it was completely 
informed by crypto dongles and the business of selling them. While that 
might be fine for high value network equipment, etc, it adds a huge 
amount of complexity in what otherwise is a pretty straightforward use 
of public key cryptography: user enrolls their public key into the 
server auth backend (bound to some identity), you log in by the server 
sending you a nonce, etc which the browser signs with the corresponding 
public key which the server verifies. Done. Maybe I should do this again 
now that webcrypto is here instead of my janky javascript 
implementation. Trying to get webauthn to work with just local 
credentials was like pulling teeth and frighteningly complex for 
something that should be pretty straightforward. It would extremely 
disheartening if the best was the enemy of the good.


Mike

Re: Phishing and telemarketing telephone calls

[William Herrin]

On Sat, Apr 25, 2020 at 7:32 PM Matthew Black  wrote:
> Good grief, selling a kit for $47. Since all robocalls employ Caller ID 
> spoofing, just how does one prove who called?

You don't. AFAICT, that's the point of Anne's comments. Finding them
is good enough. Paying off anyone who both finds them and appears well
connected with the law is cheaper than allowing the legal system to
become aware of their identities and activity.

Blackmail 101 dude. Find someone with a secret and demand payment for
your silence. The best part is that if you're legitimately entitled to
the money because of the secret then it's not technically blackmail.

> Will the telephone company simply hand over detailed transport
> records or the hidden Caller ID information? I don't care about
> making money or imposition of government fines; I just want the calls to 
> cease.

Presumably the meat of the $47 kit is about how to tease out enough
clues to search public records and identify them.

Regards,
Bill Herrin


--
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: Phishing and telemarketing telephone calls

[Mike Hammett]

Where I was meaning to counter was Jon Lewis's point that it was offtopic. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "j k"  
To: "Mike Hammett"  
Cc: "Jon Lewis" , "North American Network Operators' Group" 
 
Sent: Monday, April 27, 2020 11:29:12 AM 
Subject: Re: Phishing and telemarketing telephone calls 


Mike, 


Except in this case the flaw was acknowledged back in the 80' and it room the 
FCC almost 40 years to do something about it. 


Joe Klein 


On Sat, Apr 25, 2020, 8:54 AM Mike Hammett < na...@ics-il.net > wrote: 




No different than any other network abuse mechanism and regulatory and 
legislative measures meant to control it. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 



From: "Jon Lewis" < jle...@lewis.org > 
To: "Matthew Black" < matthew.bl...@csulb.edu > 
Cc: "North American Network Operators' Group" < nanog@nanog.org > 
Sent: Friday, April 24, 2020 6:36:28 PM 
Subject: Re: Phishing and telemarketing telephone calls 

On Fri, 24 Apr 2020, Matthew Black wrote: 

> 
> Has anyone else noticed a steep decline in annoying phone calls since the FCC 
> threatened legal action against three major VOIP gateways if they didn’t make 
> efforts to prevent 
> Caller ID spoofing from scammers? 

Not that it's at all on-topic for NANOG, but no. I still get numerous 
"last chance to renew my car warranty" and whatever the scam is from the 
credit card callers per day on both my home and cell numbers. 

-- 
Jon Lewis, MCP :) | I route 
StackPath, Sr. Neteng | therefore you are 
_ http://www.lewis.org/~jlewis/pgp for PGP public key_ 

Re: Phishing and telemarketing telephone calls

[j k]

Mike,

Except in this case the flaw was acknowledged back in the 80' and it room
the FCC almost 40 years to do something about it.

Joe Klein

On Sat, Apr 25, 2020, 8:54 AM Mike Hammett  wrote:

> No different than any other network abuse mechanism and regulatory and
> legislative measures meant to control it.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> --
> *From: *"Jon Lewis" 
> *To: *"Matthew Black" 
> *Cc: *"North American Network Operators' Group" 
> *Sent: *Friday, April 24, 2020 6:36:28 PM
> *Subject: *Re: Phishing and telemarketing telephone calls
>
> On Fri, 24 Apr 2020, Matthew Black wrote:
>
> >
> > Has anyone else noticed a steep decline in annoying phone calls since
> the FCC threatened legal action against three major VOIP gateways if they
> didn’t make efforts to prevent
> > Caller ID spoofing from scammers?
>
> Not that it's at all on-topic for NANOG, but no.  I still get numerous
> "last chance to renew my car warranty" and whatever the scam is from the
> credit card callers per day on both my home and cell numbers.
>
> --
>   Jon Lewis, MCP :)   |  I route
>   StackPath, Sr. Neteng   |  therefore you are
> _ http://www.lewis.org/~jlewis/pgp for PGP public key_
>
>

Re: Phishing and telemarketing telephone calls

[Anne P. Mitchell, Esq.]

> What exactly is this "basic internet research"? I thought the big problem is 
> that they are trivially capable of covering their tracks.

There is always a money trail.  Always.  Because the whole point of these 
calls/sms messages is to get money out of you.  And the money trail almost 
always provides a nexus to the U.S. (or whatever country you are in).

In the case of spam calls, you do have to get a bit creative (and actually 
interact with the spammers on the phone...e), to try to get them to give up 
on whose behalf they are working.  In the case of text message spam, it's often 
much easier because there will often be a link to a website, which, yeah, is 
likely a front for another website, but hey, if you are part of NANOG, 
following those trails should be trivially easy.

In the case of the outfit that just coughed up the $1000 to me, it was a text 
message spam that was ostensibly about one product, but the url in the text 
message actually forwarded through two intermediate urls to land on a site 
hawking a completely unrelated product - no big surprise there  (this was nice 
because I was also able to accuse them of violating laws about misleading 
advertising ;-) ).  Even with whois basically being useless now in terms of 
figuring out who is behind stuff, it was pretty easy to figure out who exactly 
stood to profit from my buying what was advertised on the landing site.

As it happened, when I contacted them, they (rather surprisingly) referred me 
to their lawyer - which turned out to be great because he understood 
immediately the predicament they were in. :~)

Anne

--
Anne P. Mitchell, Attorney at Law
Dean of Cyberlaw & Cybersecurity, Lincoln Law School
CEO/President, SuretyMail Email Reputation Certification
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Legislative Consultant, GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant
Board of Directors, Denver Internet Exchange
Former Counsel: Mail Abuse Prevention System (MAPS)

Re: Phishing and telemarketing telephone calls

[Anne P. Mitchell, Esq.]

>> Well, while we are already engaged in the thread, some of you may be
>> interested to know (especially if you find yourself with time on your
>> hands these days), that you *can* actually get money from these
>> scum.  In fact, it turns out that they cave pretty easily because
>> they *know* they are violating the law, and they *know* what the
>> penalties are.  
> 
> This is awesome!
> 
> Not being a lawyer, I have no idea, but how effectively could a non-US-
> resident (i.e. somebody who lives in Canada) apply this?  Do the laws
> being violated still count if they are to a non US-resident?  Does not
> being a US resident weaken the leverage you have over these scum?  I.e.
> wouldn't they be more likely to ignore a non-US-resident on the
> assumption that such a person is not likely going to bring suit?

Well, if the org is in or has a connection to the U.S., then they are still in 
violation of the law.   Whether they would even come to know that you are not a 
U.S. resident would depend on how it unfolded, and even if they did come to 
find out that you are not a U.S. resident, to fight it on that basis would cost 
waay more than just settling with you.

The whole basis for this is basically that you are reminding them of something 
they already know (they are in violation of the law), and something else that 
they already know (each single violation of TCPA can carry a fine up to $500, 
and triple that if they knowingly violated TCPA and your phone is on the Do Not 
Call list - and of course you let them know that your phone number *is* on the 
DNC list, and that you have reason to believe that they knowingly violated the 
TCPA, so each call/text to you is worth $1500).  What they count on is that 
people receiving their calls/text messages won't know the law, or how to 
proceed against them.  YOU are letting them know that *you* know these things 
also, and that you are prepared to actually take them to court, where they know 
the odds are very much against them.  They *know* how much those penalties are, 
so if you are offering to settle for substantially less, it is in their best 
interest to agree to your terms.

Whether your place of residence would ever come up is an open question;  their 
wanting to spend the money to fight an otherwise slam-dunk (in your favour) 
lawsuit on that basis, which would cost them way more than what your now 
very reasonable offer requests, seems unlikely.

Hey, even if some of the orgs tell you to go pound salt if they find out you're 
not a U.S. resident, if even one comes through...free money (other than the 
time you have invested). :-)

Anne

--
Anne P. Mitchell, Attorney at Law
Dean of Cyberlaw & Cybersecurity, Lincoln Law School
CEO/President, SuretyMail Email Reputation Certification
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Legislative Consultant, GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant
Board of Directors, Denver Internet Exchange
Former Counsel: Mail Abuse Prevention System (MAPS)

Re: mail admins?

[William Herrin]

On Mon, Apr 27, 2020 at 7:14 AM Michael Thomas  wrote:
> On 4/26/20 8:39 PM, Matt Palmer wrote:
> > On Sun, Apr 26, 2020 at 05:10:56PM -0700, Michael Thomas wrote:
> >> Which exactly zero deployment. And you need to store the plain-text 
> >> password
> >> on the server side. What could possibly go wrong?
> > But you said that *passwords on the wire* were the biggest problem.  Digest
> > auth solves that.  Also, you don't have to store the plain-text password.

Correct. You need only store the realm/user/password digest. The chief
problem with digest authentication is that the web site has no control
over the UI. Among the many issues, this makes it tricky to reliably
capture a digest in the first place without the server at least
briefly knowing the password. I don't know if webauthn corrects this
or makes similar blunders.

> You clearly know everything, while Steven, Paul, myself and the
> collective wisdom of w3c know nothing, so I'm out.

Respectfully, if you didn't know that http digest authentication
doesn't require server-side password storage, and more importantly
don't simply admit it now that you've been informed, how trustworthy
can your understanding of web authentication be?

I can't speak to Steven, Paul, the w3c or any other non-posters to
this thread that you wish to employ in an appeal to authority fallacy
but with due respect, I think you hold a myopic view of network
security. For better or worse, security is a zero-sum game. The budget
stays proportional to the value of the asset being protected. When you
spend it on low-impact improvements you don't have it for the many
improvements with a higher impact than whether a web site knows the
password you chose for that web site.

Regards,
Bill Herrin

-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: Phishing and telemarketing telephone calls

[Tom Beecher]

>
>
> https://www.theinternetpatrol.com/how-to-shake-down-robocallers-and-robotexters-for-fun-and-profit/
>

I absolutely endorse this idea. Very early in my career, I worked for a
shop that provided network/IT services for a bottom tier debt collector,
one of the early innovators of the 'rent-a-lawyer' concept in that
industry. It disgusted me to overhear the tactics they used when I was in
their offices setting one thing or another up, and I reveled in
the schadenfreude when they started getting splashed with such 'stock'
FDCPA complaints and losing constantly.


On Sat, Apr 25, 2020 at 1:25 PM Anne P. Mitchell, Esq. 
wrote:

>
>
> > On Apr 24, 2020, at 5:36 PM, Jon Lewis  wrote:
> >
> > On Fri, 24 Apr 2020, Matthew Black wrote:
> >
> >> Has anyone else noticed a steep decline in annoying phone calls since
> the FCC threatened legal action against three major VOIP gateways if they
> didn’t make efforts to prevent
> >> Caller ID spoofing from scammers?
> >
> > Not that it's at all on-topic for NANOG, but no.  I still get numerous
> "last chance to renew my car warranty" and whatever the scam is from the
> credit card callers per day on both my home and cell numbers.
>
> Well, while we are already engaged in the thread, some of you may be
> interested to know (especially if you find yourself with time on your hands
> these days), that you *can* actually get money from these scum.  In fact,
> it turns out that they cave pretty easily because they *know* they are
> violating the law, and they *know* what the penalties are.
>
> In fact, we wrote up how to do it (link below) and I *know* that it works
> because I just got myself $1000 out of a text message spammer!
>
> So, harass those phone spammers for fun *and* profit! ;-)  Here's the
> write-up I did, feel free to ask me any questions you may have. :-)
>
>
> https://www.theinternetpatrol.com/how-to-shake-down-robocallers-and-robotexters-for-fun-and-profit/
>
> Anne
>
> --
> Anne P. Mitchell, Attorney at Law
> Dean of Cyberlaw & Cybersecurity, Lincoln Law School
> CEO/President, SuretyMail Email Reputation Certification
> Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
> Legislative Consultant, GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant
> Board of Directors, Denver Internet Exchange
> Former Counsel: Mail Abuse Prevention System (MAPS)
>
>

Re: mail admins?

[Michael Thomas]

On 4/26/20 8:39 PM, Matt Palmer wrote:

On Sun, Apr 26, 2020 at 05:10:56PM -0700, Michael Thomas wrote:

On 4/26/20 5:07 PM, Matt Palmer wrote:

On Sun, Apr 26, 2020 at 07:59:24AM -0700, Michael Thomas wrote:

On 4/26/20 7:32 AM, Rich Kulawiec wrote:

On Thu, Apr 23, 2020 at 07:56:30PM -0700, Michael Thomas wrote:

$SHINYNEWSITE has only to entice you to enter your reused password which
comes out in the clear on the other side of that TLS connection.?? basically
password phishing. you can whine all you like about how stupid they are, but
you know what... that is what they average person does. that is reality. js
exploits do not hold a candle to that problem.

Two equally large problems -- neither of which have anything to do with
encryption in transport -- are backend security and password strength.
In the former case, we've seen an ongoing parade of security breaches
and subsequent dataloss incidents.  That parade is still going on.
In the latter case, despite years of screaming from the rooftops, despite
myriad enforcement attempts in code, despite another parade of incidents,
despite everything, we still have people using "password" as a password.

As a side note, I've found it nearly impossible to get users to
understand that there is a qualitative and quantitative difference
between "password used for brokerage account" and "password used for
little league baseball mailing list".

The minor problem of passwords-over-the-wire pales into insignificance
compared to these (and others -- but that's a long list).

Um, those are exactly the consequences of passwords over the wire. If you
didn't send "password" over the wire, nobody could guess that's your
password on your banking site.

I guess that's why best practices for authentication encourage the adoption
of HTTP Digest authentication.  No password over the wire == no problems!

Which exactly zero deployment. And you need to store the plain-text password
on the server side. What could possibly go wrong?

But you said that *passwords on the wire* were the biggest problem.  Digest
auth solves that.  Also, you don't have to store the plain-text password.


You clearly know everything, while Steven, Paul, myself and the 
collective wisdom of w3c know nothing, so I'm out.


Mike

Re: Phishing and telemarketing telephone calls

[Tom Beecher]

>
> I think the bigger issue is they are all entirely operated out of india.
>

Why is that specifically a problem, exactly?

There are many reasons why it is *easier* to setup a scam call center in
India, but it's not like the Indian authorities completely ignore the
problem. One operation in India was just raided and shut down after some of
Jim Browning's work was picked up by the BBC.

The VoIP gateways allowing CID spoofing isn't an India specific thing.
Neither is companies like Paypal who will continue to process payments for
an account even after being provided evidence of fraudulent activity, and
REFUNDING people who manage to file complaints on that same account.




On Sun, Apr 26, 2020 at 6:02 PM Dan Hollis  wrote:

> On Sun, 26 Apr 2020, Michael Thomas wrote:
> > On 4/25/20 10:23 AM, Anne P. Mitchell, Esq. wrote:
> >> So, harass those phone spammers for fun *and* profit! ;-)  Here's the
> >> write-up I did, feel free to ask me any questions you may have. :-)
> > What exactly is this "basic internet research"? I thought the big
> problem is
> > that they are trivially capable of covering their tracks.
>
> I think the bigger issue is they are all entirely operated out of india.
>
> -Dan
>