Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spit Will Be Worse Than Spam

Posted by CmdrTaco on from the but-less-fun-to-say dept.

KentuckyFC writes "A team of German computer scientists has developed a program that reproduces all the known forms of spit (spam over internet telephony) attack. Their plan is to make the spitting software available to computer security experts wanting to test antispit strategies. Developing these won't be easy. There are various antispit techniques, such as white lists that allow only calls from predetermined callers, Turing tests such as audio CAPTCHAs that make a caller prove he or she is human and payment-at-risk services where the caller makes a small payment in advance and is refunded immediately if the receiver acknowledges the call as legitimate. But all have weaknesses, say the researchers. The main difference between junk calls and junk email is that the email arrives at your mail server before you access it. This gives the server time to analyze its content and filter out the junk before it gets to you. Not so with internet telephony, which is why radically different strategies are needed."

7 of 248 comments (clear)

  1. Call Screening by Orange+Crush · · Score: 5, Informative

    Seems about the only way to avoid junk calls. I never answer if I don't recognize the number, and certainly not if it's private. Pisses the bank off if I forget about a payment or something, but they'll usually send postcards too. If it's a legit call and they can't be bothered to leave a message, then I can't be bothered to call them back.

    Of course, once the spam bots start leaving ads in my voicemail, then I'm getting violent.

  2. Spam? Spit? What's next? by oahazmatt · · Score: 5, Funny

    Spam? Spit? What's next? Spam in Everday Reading Material?

    "I'm getting sick of the SPERM in the morning paper."

    --
    Those who believe the Internet is private,
    find their privates are on the Internet.
  3. Old Turing Test by Thelasko · · Score: 5, Interesting

    Play a Special Information Tone before the phone starts to ring. Most autodialers won't waste their time and hang up. Humans will realize it's a fake tone and stay on the line. I don't know if it works with VoIP though.

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
  4. Colour of bits in the packet by DrYak · · Score: 5, Insightful

    there really isn't a difference between "voice" and "data" as it gets to your cell phone. But once it gets to your bill, there's a difference.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  5. The paper is stupid by tkinnun0 · · Score: 5, Insightful

    They setup a scenario where every call gives the callee a small payment, then find this weakness in it:

    "Let us even assume, that Payment at Risk is used for every call. Even In that case an attacker could circumvent it, by impersonating as another user, so that he can establish calls and shift the costs on to ânormalâ customers."

    Umm, if they could do that, wouldn't it be more profitable just to impersonate others and call yourself, collecting all their money?

  6. Re:#1 question by Frantix · · Score: 5, Insightful

    Actually there are a lot of people that DO use VOIP. Most of the people I know that do, use it because their main form of communication is their cell phone. They have no need for a full service (fee) home number as well.

  7. Re:#1 question by Sandbags · · Score: 5, Insightful

    Well, actually, more than 2 million people in the USA alone use VoIP as their home phone.

    On to the topic at hand however...

    VoIP actually is uniquely structured as to easily be able to prevent SPIT. You see, unlike a cell phone or land line, incoming calls DO get sent through a server, like e-mail, and contracry to the articles ideas.

    For big business, running in-house VoIP systems, there is a central server, which has built in software in most cases for call screening and filtering (ShoreTel's system does, I'm sure others do). For home users, Vonage, Time Warner, and others can easily filter calls from their central systems, blocking numbers from known SPITers and from those who spoof caller ID.

    A big idea with SPIT is to get you to answer, claim to be someone you are not, demand a payment, and make money. If someone answers the call, it's an issue. Pestering rings at 4AM are a problem, but personally, I disable the VoIP box through a router rule at night, so I simply don't get calls at 4AM (though a voicemail will bounce to my computer and if it;s from a whitelist caller, my computer wakes me, as it's likely a family medical issue.

    White lists are one thing, simply not answering blocked calls is another. What I do is a bit of both: I don't ansewr blocked calls, and any calls I get from caller ID where I don't have a name record (I save every phone number I can identify into my phone, and calerID with name fills in the blanks). Calls from unknown local numbers that are important end up either leaving a voicemail, or I call them back. ALL calls from 800, 866, and other likely business extensions, I simply call them back to verify their identity, unless I'm expecting their call, since they rarely leave voicemail...
    I also know what companies I do and do not do business with, and since I have a stirct No Telemarketing policy in my house, calls from any business I don't already do business with get a stern request to have me removed from their list (and I track who I spoke to and go after the ones that call back).

    All of this is very easy to do with a VoIP system, and much of it can be automated for businesses, or by Vonage or another VoiP Provider. Cell phones and land lines offer no such luxuries, so you;d have to do it all like I do, the hard way...

    --
    There is no contest in life for which the unprepared have the advantage.