Slashdot Mirror
Spit Will Be Worse Than Spam
KentuckyFC writes "A team of German computer scientists has developed a program that reproduces all the known forms of spit (spam over internet telephony) attack. Their plan is to make the spitting software available to computer security experts wanting to test antispit strategies. Developing these won't be easy. There are various antispit techniques, such as white lists that allow only calls from predetermined callers, Turing tests such as audio CAPTCHAs that make a caller prove he or she is human and payment-at-risk services where the caller makes a small payment in advance and is refunded immediately if the receiver acknowledges the call as legitimate. But all have weaknesses, say the researchers. The main difference between junk calls and junk email is that the email arrives at your mail server before you access it. This gives the server time to analyze its content and filter out the junk before it gets to you. Not so with internet telephony, which is why radically different strategies are needed."
I never was bothered by SPAM ... I don't think SPIT will bother me either ....
However the solution is simple, and it's not in technology that we will find the answer, it is USER education : don't buy from SPAM/SPIT, then the senders will go backrupt or at least they won't be making profit and since they are money motivated, they will go look for another martket.
What if VOIP is your regular phone? Then it is a big problem.
Few people use VOIP as their home phone, and problems like this will keep it that way.
Give me Classic Slashdot or give me death!
The point is that the contents of the communication cannot be analysed in advance. The system doesn't know what the caller will say until the conversation has started and you have already been disturbed.
Spam doesn't mean anything, so why should the term for the VOIP stuff have to be an acronym? We should just pick another nasty, maligned meat product. I vote scrapple.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Works great for individuals, not so well for businesses. You never know when a lead will come in, and you have to be careful how much effort you put a potential customer through.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Vonage, Skype, and MagicJack. There are plenty of people out there who use these as their "regular phone."
That's called telemarketing. This isn't.
This has the potential to be as bad as (or worse) than spam. Think about it - if you were telemarketing, you'd have to hire a bunch of people to work in a call center. This costs money (rent, phone lines, people).
But over VoIP, all you need is an internet connection. Said internet connection just has to connect to a VoIP phone over some standard protocol (Skype, SIP, what have you), and blast the message away. You can convert a botnet from sending spam to sending spam via VoIP quite easily - just change the spam-mailer to a spam-over-voip thing. If your endpoint is a regular phone line to act like a POTS line, well, get a bigger answering machine. It costs little to "spit" millions of VoIP phones, and they'll be sure to try "calling" multiple times in the hopes you pick up (or someone picks up).
It's like why the spam problem is worse than junk mail - sender has to invest in sending junk mail, while spam costs just bandwidth and botnet fees. It probably won't reach normal landlines since things like SkypeOut etc. cost money.
About the only solution would be to ensure that whoever's calling you has a real phone number at the other end and not just an arbitrary IP address. Not sure how foolproof that is, though or if it could be faked. Nor am I sure whether or not things like Vonage will be affected (do they allow calls from non-Vonage (IP-only) and non-incoming line (landline/cell/etc) people?).
inventing cutesy acronyms (like "spit") vastly increases awareness in the media and in funding
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
They setup a scenario where every call gives the callee a small payment, then find this weakness in it:
"Let us even assume, that Payment at Risk is used for every call. Even In that case an attacker could circumvent it, by impersonating as another user, so that he can establish calls and shift the costs on to ânormalâ customers."
Umm, if they could do that, wouldn't it be more profitable just to impersonate others and call yourself, collecting all their money?
What number?
If there's no POTS phone on the other end, just a botnet spoofing fake caller-ID data into the system, blocking 555-123-4567 isn't going to do anything. Because the next spam will come from 555-123-0001, 0002, and so on.
It's the telephone equivalent of blocking spammer1234567@hotmail.com.
Actually there are a lot of people that DO use VOIP. Most of the people I know that do, use it because their main form of communication is their cell phone. They have no need for a full service (fee) home number as well.
Don't thank God, thank a doctor!
Well, actually, more than 2 million people in the USA alone use VoIP as their home phone.
On to the topic at hand however...
VoIP actually is uniquely structured as to easily be able to prevent SPIT. You see, unlike a cell phone or land line, incoming calls DO get sent through a server, like e-mail, and contracry to the articles ideas.
For big business, running in-house VoIP systems, there is a central server, which has built in software in most cases for call screening and filtering (ShoreTel's system does, I'm sure others do). For home users, Vonage, Time Warner, and others can easily filter calls from their central systems, blocking numbers from known SPITers and from those who spoof caller ID.
A big idea with SPIT is to get you to answer, claim to be someone you are not, demand a payment, and make money. If someone answers the call, it's an issue. Pestering rings at 4AM are a problem, but personally, I disable the VoIP box through a router rule at night, so I simply don't get calls at 4AM (though a voicemail will bounce to my computer and if it;s from a whitelist caller, my computer wakes me, as it's likely a family medical issue.
White lists are one thing, simply not answering blocked calls is another. What I do is a bit of both: I don't ansewr blocked calls, and any calls I get from caller ID where I don't have a name record (I save every phone number I can identify into my phone, and calerID with name fills in the blanks). Calls from unknown local numbers that are important end up either leaving a voicemail, or I call them back. ALL calls from 800, 866, and other likely business extensions, I simply call them back to verify their identity, unless I'm expecting their call, since they rarely leave voicemail...
I also know what companies I do and do not do business with, and since I have a stirct No Telemarketing policy in my house, calls from any business I don't already do business with get a stern request to have me removed from their list (and I track who I spoke to and go after the ones that call back).
All of this is very easy to do with a VoIP system, and much of it can be automated for businesses, or by Vonage or another VoiP Provider. Cell phones and land lines offer no such luxuries, so you;d have to do it all like I do, the hard way...
There is no contest in life for which the unprepared have the advantage.
It all sounds so easy when there are only a few calls per day.
When it becomes anything like regular spam, you'd be receiving 20 calls per minute continuously from automated processes (e.g. perhaps from other broadband users running Windows, including your family, colleagues, and business contacts) - then it would take a lot more effort to block everything correctly
That sounds great as long as the VoIP box is being used by a tech savvy person like you. And as long as the emergency call originates from your family member's home and not an unfamiliar cell phone, pay phone, hospital phone, jail phone, friend's phone....