Slashdot Mirror
Caller ID Spoofing Firm Gets Death Threats
Frankie70 writes "Three days after the startup company Star38 began offering a service that fools Caller ID systems, the founder, Jason Jepson, has decided to sell the business. Jepson said he had received harassing e-mail and phone messages and even a death threat taped to his front door -- all of which he said came from people opposed to his publicizing a commercial version of technology that until now has been mainly used by software programmers and the computer hackers' underground. Details in the Houston Chronicle. Earlier ZDnet article about the service."
What a bitch. If this happened more often, we wouldn't have companies like SCO and others going on with their obnoxious, socially reprehensible behavior in the name of shareholder value. Don't get me wrong, I'm a capitalist, but that doesn't mean that a company has the right to shit all over everybody. We're all part of something called society, and we have laws and social norms that you must obey, and unfortunately sometimes the law doesn't completely reflect the reality of socially acceptable behavior. Just because it's legal or technically possible doesn't mean the people should bend over and accept it.
From the houston chronicle:
"The backlash against Star38 is the type of friction that can arise between for-profit software companies and hackers who resent the commercialization of technology they believe should remain free."
I really want to know if the majority of threats were from people who wanted the services to be free or if they were from people who decided that they didn't like the service at all! I fall into the second category and I'll bet everyone else does too!
I really don't see a legitimate use for a service like this
Any modern pbx lets the user set what the outgoing callerid information is.
So, when a new employee is hired, I can set their callerid to their name.
Should every outgoing line have different callerid? I want the outgoing callerid to be the main 800 number for my company.
This technology has been available for a very long time. But this is probably the first case to bring it to the mass market.
Death threats may be going a bit far, but I don't really see a "legitmate" reason for a service like this.
Credit and Collection agencies can't use this, but what about Bail Bondsmen? Or Private Investigators? Repo Men? All of them have a legitimate reason to hide their identities from the people that they call.
Pretention. You're a small company, but you can give the impression that you're a BIG company in order to make potential clients trust you with their business.
How about practical jokes? Call someone and have "God-The Almighty Himself" appear on their caller ID. It's not high brow, but not necessarily illegitimate either.
I don't anticipate having any desire to use this "service", but it's cool that it's out there.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
[snip]
The backlash against Star38 is the type of friction that can arise between for-profit software companies and hackers who resent the commercialization of technology they believe should remain free.
"In most countercultures, there is an aspect of selling out," said Caleb Sima, co-founder of Spi Dynamics, an online security company. "People who make money off technology are deemed to have sold out. Anyone who has a unique idea and is making money is going to get badgered."
[/snip]
No, I think it's that people don't like it when people use technology for slimy things, and want to get paid for the slimy things [pr0n aside]. I have no problems with Asterisk...I use it in my house, and have openly recommended it to some 'phone guy' co workers that like messing around with routing and stuff at home.
I know that caller ID can't be trusted...but that's only the first step in the puzzle. You've already got call ID block Block on your phones...so telemarketers decided to start putting 800 numbers and things like 555-555-5555 in as numbers on their outgoing CallerID.
I'm sure some people were upset. Legally, [IANAL], I think they could be on some shady ground, especially, if they're trying to represent someone else, when they're attempting to collect a debt.
I disable sigs...do you?
The article seems to suggest that hackers angry at the founder "selling out" were threatening him. Really? The guy lives in a gated community and a person managed to stick a note on his door and escaped unnoticed? I don't think so.
The guy might have just created this to get a good reason to sell the business. "Oh, it's so popular that people are trying to kill me. I'm not cashing out because, uh, the business might be illegal, etc."
A NYC lawyer blogs. http://www.chuangblog.com/
ok this got baried on the last post so here it is again ---- to fake the id on any cell phone what you need is the code to programe the phone (not the unlock code) 1) how to get the code: Call your cell phone provider and tell theam your phone is acting up and it gives you some message saying it cant authenticate on the network. The before they start in trouble shooting it aske theam if you can reprogram the phone. Now watch out some companies like verizon use over the air *228 to program the phone and cingular send updates through the air as well. So how do you get the code easy tell theam you'r not getting a good signel and that you want to manualy program the phone. The will walk you through manually programing the phone. Here it comes write down the code they give you and irnore the rest. Your phone already works so all you need is the code. Now thet you have it all you need to do is use it and the first thing any phone asks you after entering the code is what phone number you want. So change it to what ever you want I like (555)555-5555 then save the rest -Dont change anything else or your phone wont work on the network -- now why does this work well cell phones use E.S.N. and authentication keys when billing not the phone number but there caller id only uses the number that is programed into the phone so enjoy this and yes i'm a coward i didnt want to log in as my self to post this so dont aks me anymore ? about this --- and I dont believe this workes for nextel. tata
The telecos here don't let you "spoof" caller-id even if you have a legitimate reason(for example, the number you are "spoofing" is actually the number of the person really calling, over IP), let alone if you wanted to sell a service to allow customers to deceive people.
X-Has-Sig: yes
Anyone know how this is done? I can understand how to fake your cid number, but how can you fake CNAM? If I faked my number to a real friends number the terminationg switch would do a CNAM dip and display his number. How could I change the text of the name?
> Nathan Stratton nathan at robotics.net http://www.robotics.net
Spoofing caller ID is trivial, no great hack at all, and fairly commonly done. I'm amazed anyone cares (and have a sneaky suspicion that the news coverage and the "death threats" might well have been a way to sell a company for considerably more than the $5,000 or so it would have taken to set it up).
If you have anything bigger than an analogue copper phone line you can configure your PBX to send any number you like as your outgoing CallerID. It's no cleverer a trick than configuring your fax machine to send the wrong originating number.
Companies of all sorts have done this for years. Not just debt collectors and PIs, either. If you get a 'phone call from anyone at the New York Times you'll likely see a CallerID of 000-000-0000. Other companies will often send the main switchboard number at their HQ, rather than the direct dial number to the actual caller.
Spoofing it on a straight analogue line is a little trickier, but sometimes possible.
The only use of it is deception. It can only do harm - there are no legitimate uses for it.
If you really want to freak people out pretending to be god, just change your name by deed poll ;)
Those are excellent questions to ask.
X T, but otherwise resources for this kind of information are non-obvious.
Some information can be found by reading http://artofhacking.com/files/callerid/CLID-CID.T
Jason Jepson seems a little paranoid. Sometimes you have to take the heat to make some $$$. Controversial topics are usually pretty lucrative. It definately stirs up the interest in a product. While I personally wouldn't want to be caller-id spoofed, I think he should give the idea a chance. Like another poster pointed out, the companies will soon wise up and prevent the caller-id spoofing. Until then, try to make a few bucks.
--
Live deals all the time. Check out the latest in deal processing.
Hackers are never the problem.
Easily exploitable vulnerabilities in a system are.
I don't really agree. It sounds more like a black-hat justification than a real analysis.
In an "ideal" world, we wouldn't need locks on our doors or passwords on our computers, because people wouldn't be trying to steal from us or cheat us. There are actually still a lot of communities where the crime rate is low enough that locks aren't used most of the time. We never locked our house when I was growing up. It's a nice way to live, not worrying about other people being dishonest to the point that you get hurt. The small percentage of people who just can't be bothered to play by the rules end up hurting everyone else. The hackers are the problem.
Now, admittedly, we live in the real world. In most areas, including on the Internet, you can't trust your neighbors anymore because there are too many of them. That means we use locks and firewalls. They will never be perfect, anyone qualified can tell you that it's always a compromise between security and usefulness. Everyone, and every new technology, has to pick their compromise and hope it works out. If they're lucky, the attack rate will be low enough that it doesn't cause too much damage. If not, or if they make mistakes and end up with a worse compromise than they thought they had (nobody's perfect), then the technology becomes a liability. In that case, easily exploitable vulnerabilities are also the problem.
To make up for the fact that no system or technology is perfect, we have laws that try to prevent people from destroying everything that anyone builds simply because they can. If people exploited every weakness of every system, society would fall apart. (Or at the very least it would look like one of the future distopias in sci-fi.) That's why we jail hackers. Not to try to pretend that network security, but to add an extra level to it. Violate my security protocols, and you are going to find yourself on the receiving end of my criminal justice system. It's a lot of work for an unpleasant reward, so maybe less people will do it.
In this case, I don't see a legitimate reason for the spoofing. They have gone to the trouble of giving you an easy choice to provide your ID or not to. You can default either way, and switch per-call easily. With a few exceptions (giving the main office number instead of your private extension), there's really no reason to give a false ID. If it was just the hackers doing the spoofing, the rate would be low enough that the technology would still be useful. If anyone and everyone can send whatever ID they want, then the technology is likely to be abused to the point where it is useless. Then millions in investments go down the tubes and millions of people lose a useful service, not because it was dangerous or harmful or anything, but because it wasn't perfect and someone decided to destroy it for personal pleasure and profit.
I don't condone the death threats, but I wouldn't turn in the person if I knew who it was.
> I can think of no legitimate uses for it.
I'll play devil's advocate. People say the same thing about anonymous remailers, proxies, etc. I understand there's a difference between spoof and anonymous but lets see:
Civil Disobedience.
Bond/Repo Men/Private investigators.
Complaing to people in power without revealing identity or giving off the "CALLER ID BLOCKED" message.
Getting around hairy social or legal situations in an ethical manner. Remember, legal does not equal correct. Illegal does not equal incorrect.
Road warriors "spoofing" their work phone numbers and not their cell numbers.
and of course the #1 reason:
Teenage girls calling boys they like, giggling, and hanging up.
I'm more sympathetic to the people involved than I am to the collection agencies. Almost all bills are well-documented transactions. Contracts get signed, services/products delivered, etc. Collection agencies can use the legal process if they want their money back. However, it's cheaper to hire someone to make threatening phone calls. Basically, these threats are a form of least-cost production. They want the money as soon and as fast as possible.
"God is a comedian playing to an audience too afraid to laugh." -Voltaire
yeah, one of the things they "can't" do is claim to be anything other than a collection agency. In fact they are generally required by law to announce that they are a collection agency - which they frequently don't do.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Since when does something need to have a "legitimate reason" to be allowed? Seriously, don't free societies allow everything unless there's a really good reason for prohibiting it? Yet I see several "insightful" posts here arguing that unless this service can justify why it's worthy, it should be banned.
I'm sure advertisers think there's no legitimate reason for Firefox to have pop-up blocking, and Sony thinks there's no legitimate reason for PlayStation owners to have mod chips, and so on.
As for saying death threats "may be going a bit far"... well, yeah.
I should buy some cement.
I thought the philosophy about grey-area technology around here was that you don't blame the technology - you blame the user. I guess that's only the case when it doesn't inconvienence us. A large amount of P2P transfers are illegal (or at the very least grey-area), but nobody blames P2P. So a large amount of Caller ID spoofing will be illegal or grey-area, and everyone blames the technology? Whatever.
Use your primary number for everything else, and also be sure to have voice mail in case a call from the primary is one you wish to return. This system works because:
-
When you call a business, caller ID and even ANI will only return the primary number. The ringmaster number remains your little secret.
-
Because you only give out the primary number, information trading services will be useless in trying to reach you against your will.
I have found this very effective in thwarting telemarketers. I have not spoken to one in years. This system even works against numbers that do not allow "blocked" caller ID. A demon dialer or trusted party that turns out to be not so trustworthy are the only weaknesses of this system.In my particular case, the way I handled it was to initially give the "wrong" maiden name
The way I've handled it was to look the number up in the phone book. Isn't going to work very well with larger banks, though.
Maybe the banks will eventually have to start leaving messages like "Call me back at blah blah, and for confirmation purposes the PIN at the bottom of this month's bill is yada."
Slashdot's token middle-aged housewife
Frankly, I think bill collectors already do MUCH more calling than is necessary to "get the money that is owed to them". The problem is not that they can't make initial communications, or remind people they still have an outstanding balance.
That's already accomplished much more effectively with the "past due" notices and "collection activity is being taken" notices they mail out on a regular basis.
Bill collectors really just use phone calls as a means of harassment, to wear down someone - hopefully to the point where they'll just pay the bill rather than being interrupted constantly by the ringing phone.
As just one example, my ex-wife ran up a bunch of bills on my Discover card right before she moved out. Even though I had the card itself in my possession the whole time )and her name was never on it as a co-signer), she used some old "cash advance checks" to get thousands of dollars for herself.
I alerted them as soon as I realized what happened, but they still claim I'm responsible for the charges. I tore up my card and refuse to pay (largely because there's no way I CAN pay!). They called both my home and my workplace about 6 times per day, on average - and on weekends, call several times, starting at about 8AM, again around 10AM and again around lunchtime. I finally just changed my home number to an unpublished number, but they still call my work as regularly as ever.
Lucky for me, my boss is pretty understanding about the situation... but any fool should know that if you're trying to collect money, you don't take steps that could get the person fired from their job as part of your efforts!
Has it ever occured to you that there may be valid reasons to have collection agencies coming after you?
:) /cheapplug.
I'm 20 years old and over $3000 in debt because of schooling expenses and a couple of periods of unemployment. Do you think I DON'T WANT TO PAY THEM? No, I'd love to pay them, I even moved back in with my parents to enable myself to have more money to pay back my debt. But that does NOT give them the right to call me everyday, refuse to say who they are until I give my name, and make me dread answering my phone. In NC, if you tell a collection agency to stop calling you, they're supposed to -- well guess what, law != practice in a lot of cases. Do NOT defend these bastards, unless you're willing to give me and all of the other people in my situation money to pay back bills.
Now, I will give it to you, there are people who go nuts and buy TVs, cars, other crazy things which they have no way to afford, but that's not the case quite a bit of the time. Perhaps you need to get your nose outta your checkbook and pay attention to the less fortunate of the world.
(Aside: No offense to any people who are homeless/destitute by the less fortunate remark -- I'm quite thankful to have a roof over my head and food in my belly on a regular basis).
Anyone wanna help me get outta debt? Paypal jasonlf@gmail.com
Jay | http://oldos.org
i mean come on...
businesses have just about every law on their side and now they are going to be allowed to mask who they are to trick you.
i just don't know what to think anymore.
the whole situation is discouraging and seems to be getting worse.
i'd propose calling my reps and senators but they are all pro-businessso i can't get anywhere.
although i'm open to ideas on how to persuade them to pass legislation banning the use of this product.
Is it 5:30 yet?
Ever since I misdialed a number, relized it was the wrong number and hung up.
Couple minutes later I got a call with some ass screaming at me, so I hung up. And then again, and again. That jackass kept calling me. Finally, I changed my number.
Then there was the time I called someone on a business matter. Sometime later her husband came home, saw my unmber on there caller ID, called me up and kept trying to get me to admit I was sleeping with his wife.
Gah, I hate caller ID.
The Kruger Dunning explains most post on
Note to self: always say "that's not what we have on record" for the first time, if the victim says something different then note that, otherwise if she complains say "oh, I'm sorry, that was the right [password/maiden name/swiss bank account/credit card number] indeed."
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."