Caller ID Spoofing Firm Gets Death Threats

Frankie70 writes "Three days after the startup company Star38 began offering a service that fools Caller ID systems, the founder, Jason Jepson, has decided to sell the business. Jepson said he had received harassing e-mail and phone messages and even a death threat taped to his front door -- all of which he said came from people opposed to his publicizing a commercial version of technology that until now has been mainly used by software programmers and the computer hackers' underground. Details in the Houston Chronicle. Earlier ZDnet article about the service."

Obligatory Joke

Attempts to trace the harassing calls failed due to their use of spoofed Caller ID information.

Re:Obligatory Joke

[bsharitt]

Harassing this man is wrong. This should only be used for legimate uses like pranks and stalking.

No it wasn't!

[ScottGant]

I didn't tape it to his door, I taped it to his mailbox.... ...NO WAIT! Ignore that last little bit....

Re:No it wasn't!

[dealsites]

Jason Jepson seems a little paranoid. Sometimes you have to take the heat to make some $$$. Controversial topics are usually pretty lucrative. It definately stirs up the interest in a product. While I personally wouldn't want to be caller-id spoofed, I think he should give the idea a chance. Like another poster pointed out, the companies will soon wise up and prevent the caller-id spoofing. Until then, try to make a few bucks.
--
Live deals all the time. Check out the latest in deal processing.

Good ridance

[Nos.]

Death threats may be going a bit far, but I don't really see a "legitmate" reason for a service like this. Telemarketers and debt collection agencies can NOT use services like this (at least where I am) and I really don't see a legitimate use for a service like this. I just wish it would be cancelled not sold to some other company.

Re:Good ridance

[ResidntGeek]

It'll make the phone companies fix the problems with their systems. People shouldn't be able to do this, and nobody will be happy about it, so the phone companies will be pressured to fix it.

Re:Good ridance

[double-oh+three]

One good use I've heard of is pranking friends/enemies. A joke is a legitimate use. Say you've got a friend in the federal government that's looking to be upwardly-mobile. Spoof the White House's phone number. For the overly, overly religious; (666) 666-6666.

Re:Good ridance

[dave420]

Credit/collection agencies, bail bondsmen, PIs and even Repo men can call from lines that don't announce who they are. I mean, you wouldn't have a line registered under your business if it's a liability to your profession. The use of an alternative name is understandable and legal, it doesn't warrant a technology like this. As for pretention? That's just ridiculous. You're suggesting it's use as a marketing tool is a good reason to allow it? Do those feelings extend to spam? Practical jokes? Now I know you're scraping.

The only use of it is deception. It can only do harm - there are no legitimate uses for it.

If you really want to freak people out pretending to be god, just change your name by deed poll ;)

Re:Good ridance

Hackers are never the problem.
Easily exploitable vulnerabilities in a system are.

I don't really agree. It sounds more like a black-hat justification than a real analysis.

In an "ideal" world, we wouldn't need locks on our doors or passwords on our computers, because people wouldn't be trying to steal from us or cheat us. There are actually still a lot of communities where the crime rate is low enough that locks aren't used most of the time. We never locked our house when I was growing up. It's a nice way to live, not worrying about other people being dishonest to the point that you get hurt. The small percentage of people who just can't be bothered to play by the rules end up hurting everyone else. The hackers are the problem.

Now, admittedly, we live in the real world. In most areas, including on the Internet, you can't trust your neighbors anymore because there are too many of them. That means we use locks and firewalls. They will never be perfect, anyone qualified can tell you that it's always a compromise between security and usefulness. Everyone, and every new technology, has to pick their compromise and hope it works out. If they're lucky, the attack rate will be low enough that it doesn't cause too much damage. If not, or if they make mistakes and end up with a worse compromise than they thought they had (nobody's perfect), then the technology becomes a liability. In that case, easily exploitable vulnerabilities are also the problem.

To make up for the fact that no system or technology is perfect, we have laws that try to prevent people from destroying everything that anyone builds simply because they can. If people exploited every weakness of every system, society would fall apart. (Or at the very least it would look like one of the future distopias in sci-fi.) That's why we jail hackers. Not to try to pretend that network security, but to add an extra level to it. Violate my security protocols, and you are going to find yourself on the receiving end of my criminal justice system. It's a lot of work for an unpleasant reward, so maybe less people will do it.

In this case, I don't see a legitimate reason for the spoofing. They have gone to the trouble of giving you an easy choice to provide your ID or not to. You can default either way, and switch per-call easily. With a few exceptions (giving the main office number instead of your private extension), there's really no reason to give a false ID. If it was just the hackers doing the spoofing, the rate would be low enough that the technology would still be useful. If anyone and everyone can send whatever ID they want, then the technology is likely to be abused to the point where it is useless. Then millions in investments go down the tubes and millions of people lose a useful service, not because it was dangerous or harmful or anything, but because it wasn't perfect and someone decided to destroy it for personal pleasure and profit.

I don't condone the death threats, but I wouldn't turn in the person if I knew who it was.

Re:Good ridance

[Lord+Kano]

Getting rid of that ability is endangering victims and making life a lot harder for law enforcement agencies. That is a far more substantial argument than that of a marketing tool.

Life is supposed to be hard for law enforcement. Federal agents complaining that they don't have the tools that they need to do their jobs is BS; pandering at its worst.

Those agencies who need to hide their numbers already can do that, with no new help.

No, they can block their Caller ID information, they can't replace it on the fly.

Introducing this service would give that power to everyone, which (as I've pointed out before) can only harm.

So in your worldview, power should be kept for the select few and you get to select those few.

I am not buying it.

LK

Re:Good ridance

[xigxag]

This was exactly on my mind when my bank called me the other day. They left a message on my machine to question some unusual charges that had been made, and said to call them back.

Caller ID identified them as my actual bank.

When I called, the rep asked me for my card number and my mom's maiden name to verify. I gave them the information, but how do I know for sure that I wasn't just pwned?

More generally, how is one ever supposed to tell in the future that one is not the victim of a phish? The Star38 guy said he was likely scammed himself, and you'd think he'd know better.

In my particular case, the way I handled it was to initially give the "wrong" maiden name...then the rep said, "that's not what we have on record." At that point I knew she was legit, but one can potentially see this escalating to Frank Herbert-like levels of feints within feints, with the pro more likely to be one step ahead of the mark.

Re:Good ridance

[madmancarman]

When you say

Spoof the White House's phone number

and

For the overly, overly religious; (666) 666-6666

aren't you being a bit redundant?

Re:Good ridance

[PPGMD]

Never been called by the Whitehouse have you? Their number doesn't return a caller ID codes at least on My Verizon cell phone.

Re:Good ridance

[treke]

Fine here's a use. Take for example a small company that operates out of the employees homes. Calls are made from from personal phones, cell phones, wherever. There is one phone number that is designated as the incoming number for the company. You fake caller ID on all calls to display the main number of the caller so that you only receive a call at the main location and your customers do not end up getting someones personal answering machine when they try to return a missed call.

Using caller id to identify callers is a losing proposition, there are other technologies in place that do not involve trusting the information the caller gives you. Try calling 911, they already happily disregard the information caller id distributes.

Re:Good ridance

[rich_r]

The call was probably along the lines of "get off our lawn and take your damned pants with you" ;)

Easy to trace

[usefool]

If it's a death threat, police should be involved and trace the originators. Email and phone calls should be easy enough to trace if there's serious crime associated with them.

And if the phone threat's caller ID is spoofed, well, at least the threats are directly supporting the spoofing service.

Kill it!

[CptnSbaitso]

From the houston chronicle:

"The backlash against Star38 is the type of friction that can arise between for-profit software companies and hackers who resent the commercialization of technology they believe should remain free."

I really want to know if the majority of threats were from people who wanted the services to be free or if they were from people who decided that they didn't like the service at all! I fall into the second category and I'll bet everyone else does too!

Bullshit Detector

*beep* *beep* BULLSHIT ALERT *beep* *beep*

The entire premise behind this "service" seems to be: fraud. I can think of no legitimate uses for it.

And now, the creator of the service is looking to sell out? If it's a dangerous life, why not just shut down? Obviously, he's looking for a quick buck, at the expense of the rest of us (and whatever shady organization snaps this up). ...and this is just more free advertising.

Re:Bullshit Detector

[gad_zuki!]

> I can think of no legitimate uses for it.

I'll play devil's advocate. People say the same thing about anonymous remailers, proxies, etc. I understand there's a difference between spoof and anonymous but lets see:

Civil Disobedience.

Bond/Repo Men/Private investigators.

Complaing to people in power without revealing identity or giving off the "CALLER ID BLOCKED" message.

Getting around hairy social or legal situations in an ethical manner. Remember, legal does not equal correct. Illegal does not equal incorrect.

Road warriors "spoofing" their work phone numbers and not their cell numbers.

and of course the #1 reason:

Teenage girls calling boys they like, giggling, and hanging up.

Interesting part about the article...

[ONU+CS+Geek]

[snip]
The backlash against Star38 is the type of friction that can arise between for-profit software companies and hackers who resent the commercialization of technology they believe should remain free.

"In most countercultures, there is an aspect of selling out," said Caleb Sima, co-founder of Spi Dynamics, an online security company. "People who make money off technology are deemed to have sold out. Anyone who has a unique idea and is making money is going to get badgered."
[/snip]

No, I think it's that people don't like it when people use technology for slimy things, and want to get paid for the slimy things [pr0n aside]. I have no problems with Asterisk...I use it in my house, and have openly recommended it to some 'phone guy' co workers that like messing around with routing and stuff at home.

I know that caller ID can't be trusted...but that's only the first step in the puzzle. You've already got call ID block Block on your phones...so telemarketers decided to start putting 800 numbers and things like 555-555-5555 in as numbers on their outgoing CallerID.

I'm sure some people were upset. Legally, [IANAL], I think they could be on some shady ground, especially, if they're trying to represent someone else, when they're attempting to collect a debt.

Who would do this?

[darkmeridian]

The article seems to suggest that hackers angry at the founder "selling out" were threatening him. Really? The guy lives in a gated community and a person managed to stick a note on his door and escaped unnoticed? I don't think so.

The guy might have just created this to get a good reason to sell the business. "Oh, it's so popular that people are trying to kill me. I'm not cashing out because, uh, the business might be illegal, etc."

Re:Who would do this?

[chimpo13]

The guy lives in a gated community and a person managed to stick a note on his door and escaped unnoticed? I don't think so.

Ho, ho, ho. People who believe they're safe because they're in a gated community just aren't thinking. When I'd help my friend repo cars, gated communities didn't even get a 2nd thought. Not even the fancy-pants ones like when we went to MC Hammer's house.

And when we'd drive into a gated community in an obvious repo truck past the guard, well, that's the risk at hiring guards for 8 bucks an hour. You don't get the brightest guards out there and you don't lie to them to get in.

But I think this guy is just trying to make a quick buck and sell his business. If you're doing something shady, you have to deal with shady people.

It isn't as though he developed the technique.

[Scoria]

Anybody can generate fictitious Caller ID information. Instead of attributing the blame to Jepson, who merely developed a convenient method by which to do so, perhaps we should blame the telephone companies. They developed the insecure technology, after all, and appear unwilling to mitigate the problem(s).

Collection agencies are scum

[Gannoc]

I've never been the target of one myself, but I used to always wonder why bankruptcy lawyer commercials always said stuff like "Stop creditor harassment."

I always thought, "Well honestly, if you're not going to pay your bills, then you should expect people to ask you for the money."

Nope. Its harassment. Its actually frightening stuff. I first started learning about this when I received an odd message on my answering machine. It was from someone from "Kansas City" who said that she was despirately trying to get in contact with my neighbor, and that she had called the police and they had said I was a neighbor, and could I PLEASE tape a note to their door giving them her number."

Well, it sounded fishy, so I called the number myself late at night after hours. The answering message didn't say where I had called, but I waited and found it was a collection agency.

Basically, they lied to ME, a 3rd party, to try and get me to do their fucking job for them, and probably ruin my relationship with my neighbors in the process. They clearly didn't call the police about an emergency like they implied. I'm glad I checked up with them, i'm sure my other neighbors got similar messages.

These people do everything short of theatening to break your fingers. They'll say "We're going to call your boss and tell them you're not paying your bills. I'm going to try and get you fired." They threaten to tell your neighbors, to tell your children's school, etc. They'll call you 5-7 times a night demanding that you immediately send them the money.

There have been many stories of people who sent them a part of their bill, and then the collection agencies illegally used their checking account number to withdraw the whole amount, causing a chain reaction of them now being late on ALL of their bills, instead of the one they just couldn't pay.

So its no surprise that collection agencies would use something like this to fool people.
Yes, some people are deadbeats, but there are a lot of people who have lost their jobs and need to choose between food and their gas bill.

It should be all or none

[egburr]

Either anyone should be allowed to spoof their ID, in which case caller ID becomes worthless, or nobody should be allowed to do it. Some types of companies are prohibited by law from spoofing their ID, and for good reason. The phone companies should implement a technological means of prevention for this, and not allow anyone at all to do it.

Caller's should be allowed to block or reveal their ID, but not spoof it. Receivers should be able to accept or reject calls with a blocked ID.

I've had more than enough calls from "0" which were not from the operator. I've had plenty of calls from other numbers that are obviously false (not 7 or 10 digits). I've had plenty of calls from numbers that were "out of service" when I called them.

If the phone companies are unable to prevent spoofing, the government should implement laws either to make spoofing illegal or to mandate an upgrade to the phone system to make it impossible.

Re:how to spoof with a cell phone

[v1]

I was going to do some modding here today but I'll forego that for some good advice:

don't do this.

Years ago I got a cel phone at the same time as a friend of mine. Back in those days, the codes came with the phones if you read all the literature. I found my way into the programming area and, among other things, managed to permanently screw up my low battery shutdown point. I was able to change my number to a friend's number, and answer his phone calls.

When I mentioned this to my service provider, they said "you must not have done it very many times..." The reason was, when they get five (5) incorrect ESN/Phone Number match-ups, they deactivate your phone by it's ESN, and then you have to take it back to them to get it turned back on. So just don't. (and no, you can't change your ESN... at least not unless you own a specific model of Motorola phone for which Motorola got fined heavily by the FCC for producing it in that modifyable way)

Doctors responding to patients from home

[PerpetualMotion]

After working at an answering service, I would page anywhere between 2-10 doctors a night with emergencys from hospitals or patients with sick babies, women worried about their pregnancys, adults having athsma problems, chipped/painful teeth, or other problems. Some that should go to the ER, some that could of waited till the next day, and others that just really just needed a call back. Doctors cannot give their home telephone number out. Most anyone who thinks they have a medical emergency thinks they should call direct instead of going through "channels." This means doctors use caller ID blockers.

There would periodically be problems with doctors using caller ID blocks being unable to call people back who block those calls, leading to sometimes unimaginable frustration in the middle of a medical emergency. The first time I saw this service, I saw immediatly that it could and probally would be abused, but for doctors who got stuck in that situation, it would be invaluable.

Caller ID should be secure

[Anonymous+Writer]

I thought that caller ID was done through the phone company and people couldn't alter it. And I always thought it would be a great method for dial-up authentication and private networking. With caller ID, a computer recieving a data call could identify that the calling computer was physically located at a land line. This would be extremely useful for businesses to business transactions and banking. Having to rely on encryption while connecting through the internet just isn't as secure as a direct physically secured phone call.

Sure, there could be legitimate uses; say for example that you have a call forwarding feature provided by the phone company and you are having calls to your number forwarded to a phone at your location. It would be useful to be able to have calls from that location display your caller ID if you need to return a call. However, that shouldn't be up to a company like this. It should be a feature connected with calling card billing; if you use your calling card from a remote location and it is being billed to your phone number, it should also display your caller ID. Connecting caller ID to billing would also work well for tax accounting. If you were making a phone call for business, you would want your business number caller ID to appear. And you would want the call to be billed to your business phone number as well, for tax purposes.

The options for using this service legitimately don't compare to the possible illigitimate uses for it. This would be the next "spamming" type of business, making money out of putting others through misery. The fact that caller ID is called "caller ID" is so that it can work just like proper identification. Using a service like this to pretend you are someone else calling would be the equivalent of using a fake driver's license, even though it isn't percieved that way by the legal system yet.

One good use...

[NotAnotherReboot]

I can think of *one* good use for spoofing- calling cards. Why not have the company performing the calling card service to take the number you call them from and then spoof that when they make the call through their system?

I'd like one.

[geekoid]

Ever since I misdialed a number, relized it was the wrong number and hung up.
Couple minutes later I got a call with some ass screaming at me, so I hung up. And then again, and again. That jackass kept calling me. Finally, I changed my number.

Then there was the time I called someone on a business matter. Sometime later her husband came home, saw my unmber on there caller ID, called me up and kept trying to get me to admit I was sleeping with his wife.

Gah, I hate caller ID.