Slashdot Mirror
Spit Will Be Worse Than Spam
KentuckyFC writes "A team of German computer scientists has developed a program that reproduces all the known forms of spit (spam over internet telephony) attack. Their plan is to make the spitting software available to computer security experts wanting to test antispit strategies. Developing these won't be easy. There are various antispit techniques, such as white lists that allow only calls from predetermined callers, Turing tests such as audio CAPTCHAs that make a caller prove he or she is human and payment-at-risk services where the caller makes a small payment in advance and is refunded immediately if the receiver acknowledges the call as legitimate. But all have weaknesses, say the researchers. The main difference between junk calls and junk email is that the email arrives at your mail server before you access it. This gives the server time to analyze its content and filter out the junk before it gets to you. Not so with internet telephony, which is why radically different strategies are needed."
Can this get to my regular phone or cell phone?
If yes, then this is a problem.
If no, then this is not that big of a problem.
If yes, but only if the spammers (spitters?) pay for cell minutes or something, then this is not a problem at all.
Arrange the usage of internet telephony over e-mail, SMS, or IM before initiating or accepting a call.
The intrusive nature of the required synchronicity of telephony is unacceptable anyway. It always has been. Hence the invention of call-screening devices, caller-ID, answering machines/voice mail, etc...
If you weren't expecting the call, don't answer it. Then you won't have to give anybody money for yet another "security" product.
Play a Special Information Tone before the phone starts to ring. Most autodialers won't waste their time and hang up. Humans will realize it's a fake tone and stay on the line. I don't know if it works with VoIP though.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
We had a dialer call through our company last year. It was pretty interesting. All of the phones in our company are on the same trunk. You could tell the dialer was just calling every possible number on the trunk in sequence because a wave of rings went through the office (it's normally pretty quiet). Everyone discovered they had a voicemail from "the job hotline" a little while later. The Attorney General eventually caught the guy and shut him down.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
For first-time callers, you need a little bit of an IVR front end, ideally some kind of TellMe system. Then you have additional information about a caller before it rings your extension, and if it is really advanced it can determine who the call actually goes to. If the caller is accepted as legitimate, it gets added to the whitelist, if it is rejected (by a human) it goes to the blacklist. Everything else stays greylisted.
Like cryptography, authentication must also be a part of the protocols used in future voice communication. Fortunately, the same tech happens to help with both.
Once you have a solid identity for the caller, they can be looked up somehow, and either be classed as someone you know (i.e. have personally vetted as human) or delegated through a WoT as probably human, or determined to be "nobody."
The reason this is a problem for current VoIP and POTS is merely that those things happen to suck due to legacy interoperability, CALEA, etc.
I really do think those concerns will eventually be left behind. Just like PGP over email, though, there will be social resistance (or inertia, at least). But the very problem being discussed here (phone spam being more annoying than email spam) will make securing voice more attractive to the mainstream, than securing email was.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
As someone that runs a VOIP server, I can speak from limited experience.
1. Unlike email, The offender needs a block of voip numbers to do any meaningful spitting. Those blocks aren't as costless as sending spam. Let's argue for a minute they don't need blocks. The VOIP server should not be allowed to process more than ~2 calls out per number. That's a configuration issue. On proprietary voip server software, I don't know if that's possible, but on openser it is.
2. This _should_ be the responsibility of the VOIP host, except we know that most current providers won't do it for free. It can, and should be automated. ex. *69 reports the call as spam. Even if the call is coming from a peering host, the source can be halted swiftly.
3. DB queries on call volume should identify the offender within 30 minutes anyway.
The article is an advertisement disguised as news.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
You pay to receive calls?
"Religion is the most malevolent of all mind viruses." - Arthur C. Clarke.
Um, in case you haven't heard, American cell phone customers pay for airtime on outgoing AND incoming calls.
10 years ago, I thought it was a Bad Thing. Now, I think it was ultimately a Good Thing. Why? Because the people who bore the costs were the cellco's customers, so we exerted direct pressure on our carriers to include more minutes of airtime and/or make nights/weekends/incoming calls (or at least the first minute) free. Nowadays, a typical American cellular customer pays about $50/month for service that, for all intents and purposes, is almost flat-rate. Contrast that with Europe, where the cost to call mobile numbers is set by faceless bureaucrats who are accountable mainly to the carriers themselves, and there's no incentive (or possibly even a legal way) for individual carriers to reduce the cost of incoming calls and use it as a competitive advantage over others. The net result is that a frugal person who rarely makes outgoing mobile calls can get much cheaper service in Europe, but Americans who pay 2-3x as much can basically use their phones all day (or at least all night/weekend) until the battery runs out with little risk of getting a big bill at the end of the month.
I just set up Asterisk to answer all my calls. Then it says
:)
"Hello, thank you for calling Blah & Bo. If you want Blah, press 1. If you want Bo, press 2"
I get about 10-15 calls a day that hang up before even 2 seconds of the automated prompt. And these tend to call the same time each and everyday, until they give up a week or two later.
I get NO telemarketers, EVER, as they don't really have keypads AFAIK. When once was upgrading the Asterisk machine, it was down for 2 hours. I managed to get 2 telemarketers. I just told them to call back in the evening as I had no time. Guess what? Asterisk was up by then and they never got through!
I wish I had the iPhone's "Visual Voicemail", since then I could selectively listen to the important message and delete all the, "Hi. its me. call me back" messages that are redundant with the missed call log.
That is the killer app on the iPhone. It's the single reason I bought the thing. It has lived up to my expectations, too.
Seth
$5 / month hosted VPS on linux = awesome!
Since this is a real-time negotiation taking place, it will be much easier to include a challenge/response in the "handshake" portion of the connection.
Unlike, email (which gets queued), voice requires an instant connection between endpoints. If you simply used an audio captcha ("Hi, please say my first name after the beep to be connected..."), you can create a hurdle that has to be overcome immediately. Using VOX/IVR technology would easily create an AI nightmare for potential "SPITers". Add a short timeout (like 10 seconds or [with a few retries]) and then dump the dubious caller.
Corporations do it to us all the time when we call customer service "I'm sorry, that's not a valid option. Goodbye".
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.