Slashdot Mirror
Hack AT&T Voicemail With Android
An anonymous reader writes "It is shockingly easy to gain access to an AT&T customer's voicemail using caller ID spoofing techniques. What's worse is that AT&T knows about it. On your Android phone, download one of the two caller ID spoofing programs. Input the number of your target as the destination number and then enter the same number as the spoofed caller ID. Then connect your call. If the target has not added a voicemail password (the default is no password), you will be dropped into a random menu of their voicemail and eventually can drill up or down to get what you want. You can change greetings, erase messages, send voicemails out of the target account, and much more. How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"
I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
Comment removed based on user account deletion
Any politician dumb enough not to password protect EVERYTHING deserves the results. As for average joe customer, I could see some being surprised by this - ATT should probably change the system to require passcode/PIN.
Not using a password allows hackers access to your data!
More at 11.
Passwords People, they are not just for Game shows.
Spoofing caller id should be illegal, but there are just enough loopholes to let you get away with it.
I don't believe this is ONLY restricted to AT&T.
Sig Battery depleted. Reverting to safe mode.
If you don't have a password on your voicemail, you deserve to have it hacked into. Plain and simple.
This has been a problem for years. VOIP makes caller id spoofing trivial and is supported as a feature just about everywhere. The problem is the fact that VOIP is bolted on to existing infrastructure. An ip call terminating into the pstn has no inherit phone number since (obviously) it's not originating in the pstn. The solution? You can pick our own caller id.
"How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"
Answer: none, since Microsoft isn't paying them to target AT&T.
Really? You think the caller ID spoofing is the problem here?
I like how you forget the first sentence by the time you move on to the second.
Allow me to repeat him:
Passwords People, they are not just for Game shows.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
My first line somehow escape your attention?
Sig Battery depleted. Reverting to safe mode.
I am the one who posted this - it is my first Slashdot submission. Please don't flame too hard. I am posting anon because I am a convicted hacker on probation. I just wanted to add that we noticed a side effect of doing this: If the target is using an Iphone, their Visual Voicemail will prompt for a password the moment the attacker logs out of their voicemail box. The target must then reset their VM password.
I would have been funnier if you started your comment with the word "Really?"...
Ya, I did it with Asterisk a while back. Found out accidentally when I dialed my cell phone while setting my call ID to my cell's number. So I tried it with a friend's number. Hilarity ensued.
- Dan
No it didn't. The fault here is entirely with AT&T, it is not because of missing passwords/pin numbers (which should not matter), nor is it a lack of regulation concerning caller ID.
Nonsense. MOST voicemail systems assume calls from the same number are from the owner of record. ATT IS NOT ALONE.
Sig Battery depleted. Reverting to safe mode.
I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.
Yep, this is such old news it's not even funny. It is a years-old vulnerability that was covered years ago in slashdot, among other places- I couldn't find any articles with a lazy google search, but I did turn up a comment talking about this very problem from 2006. Carriers have known about the issue for half a decade or more.
The only point I see TFA trying to make in a very roundabout way is that because the Android market is more open than Apple's, stuff like this "can happen", which is slightly true.
Please help metamoderate.
Quite correct. We had the same thing happen in NZ. In 2005...
http://www.theage.com.au/news/Breaking/NZ-hacker-targets-voicemail/2005/05/13/1115843355125.html
house and senate have both passed bills
wouldn't want to be the first test case if you got caught
So riddle me this, what would happen if i went to make a call from my cell phone to another number, but spoofed the caller ID, whose minutes am I then using? Who gets charged?
Doubt it would be the owner of the spoofed number paying. If it DOES work that way, it simply proves AT&T is incompetent. If it doesn't work that way, then their billing department isn't as dumb as their customer security department.
I did this on a Verizon Droid using a spoof app, to a Verizon number. Not on purpose- i was trying to goof on a friend by having his phone ring with his own number. Then i got the voicemail prompt, and i hung up.
And yet, they are at fault anyway. Just because a lot of people do something doesn't mean their responsibility is automatically waived.
My friend used a application like this to fake his caller ID using his iPhone. Though it might have required jailbreaking to install.
You can do this with many VOIP services. I have done it with an asterisk box and a PRI (T-1).
Also available for BlackBerry or PC. I've been able to do this for at least a year now..
...IMEI rather than phone No.
As well as a password.
If you get a new phone! all you need to do is link your new IMEI and remove the old one. It's more secure and pushes things up a notch legal-wise if someone tries to spoof a IMEI!!
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
Is the default really no password for most AT&T phones? I seem to recall part of the iPhone setup requiring you to enter a vmail password.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I was able to change the number my work landline displayed and was able to access my ATT voicemail after I removed my password. We use a NEC IPK II for our voicemail system and it literally takes a few seconds to change the outgoing number for a phone.
He's got a point. Why can't voice mail run over some data connection authenticated by the phone's unique ID or something similar?
Because most people expect to be able to check voicemail even when the phone is not working or with them. People WANT a number they can call, from anywhere, and check voicemail.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
One is a revenue center, the other is a cost center. I think we can guess which one is further on the ball?
It's kind of sad how many situations this cut-and-paste troll is appropriate.
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
I had an AT&T answering machine which you could access remotely. I, of course, had set the pin. However, someone still managed to get in and hack it and changed my greeting to something about sucking male genitalia. I was not amused. I ended up disabling the remote access completely since apparently any old idiot can call in and figure out how to get into the menus.
If you are not allowed to question your government then the government has answered your question.
I agree that it's not Google's fault, but I think the point is that Android lowers the bar for someone attempting this. Configuring asterisk to spoof caller ID and retrieving voicemail is possible, but relatively few have the proficiency to do this. Any idiot can buy an Android phone.
Really? You would have been? (Not that your current funniness is a high bar...)
Who cares about locking down their voicemail? What is a "hacker" going to do to me with my voicemail messages? Should I be afraid that Mr. Hacker knows that my wife is picking up cereal and eggs at Safeway this afternoon? Or that my buddy wants to go out for beer after work?
As Steve Jobs once said, "This is a non-issue."
Old news.... Not an Android issue... Not an AT&T issue... Sounds like a disgruntled Pocket user... This is what you get when you can't be bothered to set a passkey on your voice mail. Hacking....P'shaw...
TimeOut
callerid spoofing is about to be illegal. http://www.govtrack.us/congress/bill.xpd?bill=h111-1258
callerid is not the same as the ANI number on the call. The ANI is what is used to bill.
I think caller ID spoofing is fraud and should be prosecuted as a criminal charge, and those phone companies that allow CID spoofing should be charged as conspirators.
Learn to love Alaska
Hilariously the advirtisement for this artilcle in g reader is for spoof card "the number 1 caller I'd spoofer"
How old is this? I read about this back in 2006. Check this http://www.oreillynet.com/onlamp/blog/2006/02/exploit_cingular_voicemail_vul.html. Why it is a news now? Matter of the fact, it's not just from Android - you can do this from any phone with the caller id spoof app or connect the spoofing device to any phone and do it.
callerid is not the same as the ANI number on the call. The ANI is what is used to bill.
I think that was exactly the GPs point.
If they used the ANI rather than the caller ID, there wouldn't be a problem.
Ever stop to think
please tell me this is slashdot worthy?
I see this post as the same thing as saying one of the following:
You can hack into a car by throwing your android phone really hard at a window.
There is an app on your android phone that makes it so you can steal money from people, just put it in your pocket, hold it to their back and pretend it is a gun while asking for everything they have.
Hack your McDonald hamburger by taking the buns and putting them on your head and calling them your alien receptors.
Hack your microwave, stick your android in it for 10 minutes while running this "insert ad here" app.
Hack the airwaves, play music on your android.
AT&T _still_ doesn't require a voicemail password? I thought pretty much every carrier did because of exactly this kind of trick. It surely didn't start with Android - I remember reading about it years ago, and it was old news even then.
But hell, anyone stupid enough to still use AT&T, when it seems that every week they're losing thousands of customer records, deserves anything that happens.
Its always worked this way.
Put a password on it...
Why don't they just use the imei number? It is pretty hard to change those and it is illegal to do so in most countries.
"Don't Panic!"
Then it will just move offshore to sleazy sites in Elbonia offering to spoof IDs... then demanding more money or else they will text the spoofed ID about who was wanting to hack them.
What is needed is a two fold attack against this:
1: As the parent poster suggests, a law against spoofing caller ID to gain unauthorized access. This should fall under computer trespassing statutes.
2: A technological solution: ANI, checking ESN/IMEI codes, a private key stored on the SIM card. Perhaps the next generation of GSM should have the ability to have a RSA or ECC keypair on the SIM (or R/UIM) card and allow for signing on the card.
it's not even restricted to android.
Then it will just move offshore to sleazy sites in Elbonia offering to spoof IDs...
Can you spoof CID internationally? If so, then it would be a simple check to see if it's coming in as a number that it can't be coming in as (just like all good network admins have RFC 1918 addresses blocked incoming to their network).
As the parent poster suggests, a law against spoofing caller ID to gain unauthorized access.
Defining "spoofing" with the common and non-technical use of the word spoofing, all spoofing should be illegal. If you aren't authorized to use the number, it should be illegal to use it. Even if it doesn't gain you specific unauthorized access, it can be used for other nefarious reasons, and there is no reasonable reason to use it.
Spoofing as meaning advertising one of your properly owned numbers out another phone or service (Google Voice) is not "spoofing" as understood by most people, and is not deception in that a call back on that number will reach you. I'm just clarifying because when techies talk about spoofing, they recognize that as that proper term for setting the CID to anything other than what the phone company sets, and the rest of the planet thinks "spoofing" indicates setting it to something other than authorized.
Learn to love Alaska
A problem that companies run into from time to time is voicemail hijacking from drug traffickers. They create an account and place outgoing calls from within the company. I can see the same thing happening here. If they want to get really clever they can jump their call through a few voicemail accounts. Even if a call was tapped/traced it would probably take days or weeks (if ever) to trace down the real source. Certainly takes the power of wiretapping a few notches.
If their best guess, phone # on caller ID, can't be trusted and the customer can't be bothered to make a password, how might the service know who it is dealing with? Psychic powers of awesomeness? I know the company could ENFORCE passwords, but we all know what those would like look like anyway. As far as I can guess, the only solution is......enforce a password, as shitty as it might be........because it would be something. Is it perfect? hells to the no, but that's the best my puny brain can come up with.
But, I KNOW you guys are smart, so focus on the SOLUTIONS to this problem, the world needs our brains! Please someone with more smarts give us an idea of the best way to pwn the haxors.
The IMEI number changes with the phone. So, if I took my SIM card out, and put it in another phone BAM new IMEI number.
But MOST systems don't use the CLI (a field which is trivially set) to determine what number you're calling from...
There are other systems used for identifying a caller, like ANI which gets routed between telcos but doesn't get shown to end users, this is used for billing of network termination charges etc.
And surely if someone is calling their own number, then the call never has to leave the operators network so they *know* where its from. I can't access my voicemail even from my own phone when i'm roaming for instance.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Can you spoof CID internationally?
Yes and no, some international links dont pass CLI at all, and some operators try to be clever and stamp the country code of where your coming from in front of the number you send (because some cli systems only send the number in local format without the international code)
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Wait...so you mean to tell me, the consumer is absolved of every bit of fault, and it lies with the carrier, by not opting to use (in this case) security options that are available to them? It's not as if they have no idea that the password to their voicemail exists, it's the second thing you have to enter when you first dial your voicemail to set it up. To put it another way, what you're insinuating is that the following is a valid chain of logic:
1: I set a password...
2: I'm never asked for my password...
3: ???
4: It's their fault my voicemail got jacked!
It's not. Consumers bear as much responsibility for using their heads, thinking a little bit, rather than having legislators and lawyers shift the blame off of them for their ignorance. 'I wasn't told' shouldn't be an excuse for this sort of thing, or any clause you didn't bother to read in a contractual agreement or on the packaging, and so on--and this broadly speaking, not just a thing with phones (of any sort). The consumer bears responsibility for their ignorance, where it is willful.
I don't post AC. I like my -1, Flamebaits. Trump/Sheen 2012 on the Batshit Insane ticket!
This is only a problem for AT&T, other networks don't have a problem... It's an insecure implementation on the part of AT&T and they need to fix it - like everyone else has.
Attempting to gain unauthorized access is already illegal, wether you do so by spoofing CLI or by breaking down the door with an axe.
If you make spoofing CLI illegal then you won't stop people doing it, you will just decrease the instances of it being done to a small group of hardened criminals.. That way the general public will become even more blindly trusting of the CLI and more likely to fall for criminal activity.
Spoofing CLI is no different than spoofing email, it's easy to do and the real solution is educating the user not to blindly trust the originating number.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I seem to remember that on my carrier, the first thing you're required to do when entering voicemail is to set a password.
Of course, if you've never used your voicemail, then you won't be required to do so, but then it's silly to be paying for that feature, isn't it.
The fault is the telcos (of which ATT is the biggest and oldest one) who years ago designed an insecure caller ID system. It's been known that the system is insecure for *years* now, and there has been no move to fix it. Not a single effort by anyone.
The solution is to make delivery of caller ID data that is not true and correct just ILLEGAL. A $1,000 fine per incident.
The telcos would have to turn off the caller ID until they could secure that whole system. Unfortunately they are the only ones who could do it. And as soon as possible please.
It's not just ATT or Android, it's the whole insecure system. It sucks terribly and needs to be fixed. I don't see the telcos doing it until they are forced to. A $1,000 fine per incident would do it.
.
You call your own voicemail from your own cellphone, the operator of your own network is *supposed* to know who you are. It's just not too much to ask.
Making you use a password to call your own voicemail from your own phone, well, if that's the only security the telcos have they are very lacking.
I am not going to give the telcos a pass on the security of your own phone and your own voicemail, calling from their own network. They need to secure all that.
If their system is so lame they don't know who is calling on their own network, well, they should be shut down. They are bozos.
.
I haven't tried for a couple of years, but accessing voicemail by spoofing CLI certainly used to work on at least two UK mobile networks (N.B. I tested it using my own accounts).
Many people are not aware how easy it can be to spoof CLI in the UK.
AJB
List needed.
I've tried this in sweden with several carries and my asterisk. Not a single one will accept another CID than my phone number, except a blank one.
Its at the carriers discrestion though. After much trouble, at the company i work for, we finally was able to set any of our own numbers to any outgoing call we made. We had 100 numbers.
Well hopefully some good will come of it in the form of it raising people's awareness to the point where big telcos can no longer just ignore the problem and hope it goes away.
How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?
Answer: none. Nobody knows Washington better than AT&T.
The higher the technology, the sharper that two-edged sword.
You want to tie it to the simcard, not to the phone.
I don't believe this is ONLY restricted to AT&T.
I remember once I saw a comment on Slashdot about a guy in the UK with an Asterisk system using the same technique to give employees easy access to their cell voicemail - his ITSP allowed caller ID spoofing, and the cell provider's only form of "authentication" was the caller ID.
"When information is power, privacy is freedom" - Jah-Wren Ryel
IANAL but I thought that caller ID spoofing was illegal, as by doing so you are using someone else's identity without their consent.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
ATT hasn't been in the hardware business for almost 15 years.
ATT-branded hardware was made by Lucent for a while, and is now made by VTech of Hong Kong.
kdawson, you don't have to live up to the stereotype of posting terrible stories.
I agree. This is not restricted to just AT&T. AT&T, like ALL other providers purchase their voicemail platforms from OTHER COMPANIES, such as Avaya & Lucent, etc. AT&T has simply purchased the products on the market that were the best solution at the time, or perhaps purchased from salesment who blew the most smoke. AT&T, and ALL other providers have been aware of this since call spoofing was born. I'm sure the pickle the find themselves in, is how to you suddenly force 50 million people to password protect their voicemail box without blowing up your distributed call centers with a flood of people that dont understand the change.
Let's make like a bird... and get the flock outta here.
Verizon makes the default voicemail password the last four digits of your phone number by default, doesn't it? If they still do, then wouldn't that be just as easy to get into?
As an iPhone customer with visual voicemail, I was never prompted to set up a voicemail password when I set up my phone. I doubt that anyone else was, either.
Worse yet, the option to set a voicemail password is buried in the phone settings. The option doesn't even seem to work, either, as the password change option failed with an error message saying that "voicemail was unavailable" when I tried to set a password.
Sorry, but it's hard to blame the customer on this mess. Both Apple and AT&T screwed up when it came to securing this feature properly.
The solution is to make delivery of caller ID data that is not true and correct just ILLEGAL. A $1,000 fine per incident. The telcos would have to turn off the caller ID until they could secure that whole system. Unfortunately they are the only ones who could do it. And as soon as possible please.
Except I think they can't. I think caller ID support is one of those features that Telco's are required by law to provide for all lines. Which makes sense to me why they wouldn't be too motivated to maintain the system; it's not a marketable service, they lose money by providing it.
Hey look another shit article from kdawson with a terrible headline. Try rewriting that to "Hack AT&T Voicemail with Caller ID Spoofing" and maybe people could take it seriously. Congrats kdawson, you've just earned an filter from the main page for me, sick of reading your crap. (Posting anon to not waste some well spent mod points.)
Nonsense. MOST voicemail systems assume calls from the same number are from the owner of record. ATT IS NOT ALONE.
I can vouch for that. Same with Three in Australia at least.
( I have a PIN on my voicemail in Australia, but if I call from mobile voicemail my VoIP line, which has CID set to my mobile number, it bypasses the PIN.
Caller-ID is accepted as proof of identity, even when it comes from another network.)
At least one congresscritter has proposed legislation to that effect.
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
Not at all true. On Cellphones they have thrown in CID. On landlines it's a cash cow, they charge $3-$4 for it.
.
At least it did last I checked. Spoofing an in-network phone number when calling an AT&T cell phone will be counted as mobile-to-mobile - no air time used on most plans.
Defining "spoofing" with the common and non-technical use of the word spoofing, all spoofing should be illegal. If you aren't authorized to use the number, it should be illegal to use it.
Oh you tax-and-spend authoritarians!
Where do you think the money comes from for the federal investigations of wire fraud every time someone calls a wrong number or manually edits a URL? What's the cost benefit to society of sentencing some punk kid to 900 years for 60K counts of hacking facebook instead of making facebook fix their problem?
How does it benefit society that we bail out companies who can't be bothered even try to be secure?
So now when it happens people will be convinced it's real.
It's exactly what they did with listening to cellular calls. They outlawed it early enough in adoption that most people didn't know their calls were broadcast in the clear - and it was illegal to show them proof.
As a consequence people were less safe than if eavesdropping were common, at least then they'd have known to take precautions or use a more-secure device.
How does it benefit society that we bail out companies who can't be bothered even try to be secure?
I can't tell if you are being entirely sarcastic, of just have sarcasm intersperesed with your opinion.
Apparently, your opinion is that people shouldn't investigate fraud because lying for material gain isn't a bad thing.
Learn to love Alaska
Spoofing CLI is no different than spoofing email, it's easy to do and the real solution is educating the user not to blindly trust the originating number.
It's technically trivial to do, and technically trivial to stop. The real solution is to prosecute fraud and "hacking" laws, rather than making excuses defending the criminal actions. And, since the phone companies are party to the fraud (they know for certain what numbers are authorized on which lines, and explicitly allow "unauthorized" numbers to be used), they should be held accountable in their part as well.
Learn to love Alaska
You had to stretch a lot to get there.
How does it benefit us to pass ever more restrictive and totalitarian laws solely for the benefit of companies who won't even try to be secure? Why should we foot the bill for something doomed to fail?
Why making faking some bits in a header fraud when they could just stop trusting customer data? There won't ever be an incentive to provide actual security if you can simply punish people who expose your mistakes.
You had to stretch a lot to get there.
Your inability to critically think does not indicate that my argument was a stretch.
How does it benefit us to pass ever more restrictive and totalitarian laws solely for the benefit of companies who won't even try to be secure?
We have laws in place making it functionally illegal. We should just clarify the laws.
Why should we foot the bill for something doomed to fail?
Are you talking about the automaker bailouts? The airline bailouts? Public education funding? Prohibition? Clarify man, given that just about every government has eventually failed, everything they've ever done has failed as well, and as such, no one should ever do anything ever because at some point in the future it will fail. If you are using that as your True Test, then nothing passes, and this is so low on the list it's a waste of your time to talk about, go out there and work on our foreign policy, it's never done anything right and it costs trillions every year.
Why making faking some bits in a header fraud when they could just stop trusting customer data?
Because those lying bits *are* fraud. Why are you encouraging fraud? Why are you for legalization of fraud? I don't care about AT&T's internal policies. Someone lied in order to gain access to a system they didn't have authorization to use. Period. That's a federal crime. Why are you against enforcing the laws we have now?
There won't ever be an incentive to provide actual security if you can simply punish people who expose your mistakes.
That's a separate and unrelated issue. If someone suffers a loss, then they should sue AT&T. If AT&T has an insecure policy as a standard policy, then all their customers should get together and sue them in a class action. But whether AT&T harmed their customers from a policy is unrelated to the fraud committed by those that abused that permissive policy.
Again, you are defending the people committing fraud. Why?
Learn to love Alaska
You're trying as hard as you can to miss my point.
I'm asking why we bother footing the bill for prosecuting trivialities as crimes.
It's like drug laws. Yes, they are there, but they're wasteful, functionally useless, and overly restrictive. Why do we pay for that nonsense?
no one should ever do anything ever because at some point in the future it will fail.
I know you're still trying your hardest to not get it, but there's a big difference between something that might not succeed and blindly repeating things you KNOW will fail.
Because those lying bits *are* fraud.
No, they are not. They're user-settable bits. They aren't valid ID, or data on a form you've promised to fill in correctly. It's like a nickname. That the equipment to set it is so rare you haven't heard of it isn't my problem.
How does it benefit us to pass ever more restrictive and totalitarian laws solely for the benefit of companies who won't even try to be secure?
We have laws in place making it functionally illegal. We should just clarify the laws.
But why? How does the public's balance sheet look any better at the end of the year for cracking down on caller-ID spoofing?
There won't ever be an incentive to provide actual security if you can simply punish people who expose your mistakes.
That's a separate and unrelated issue. If someone suffers a loss, then they should sue AT&T. If AT&T has an insecure policy as a standard policy, then all their customers should get together and sue them in a class action. But whether AT&T harmed their customers from a policy is unrelated to the fraud committed by those that abused that permissive policy.
But AT&T wouldn't be at fault because the action was illegal. So they'd have no incentive to fix it. They'd leave more customers at risk that way than if they had to fix this.
Again, you are defending the people committing fraud. Why?
No, I'm advocating for a state of reality where we would have encrypted cellphones because the government hadn't just mandated that listening to calls is illegal.
But now because you don't want to acknowledge the nature of caller-ID, especially versus ANI which is made for identifying the calling party for billing purposes, we're going to have more useless laws that penalize the law-abiding and do nothing but dumb down the population.
How do we benefit from this?
You're trying as hard as you can to miss my point.
My point is that CID spoofing is fraud. If it isn't being prosecuted as such, then the laws should be updated to include the current technological equivalent of calling up, claiming to be someone you aren't, and using those lies for your own benefit.
You either think it is or isn't fraud. You either think fraud should or shouldn't be illegal. You aren't addressing any of those questions. I understand your point, but you aren't addressing my questions about your point.
But AT&T wouldn't be at fault because the action was illegal.
Never mind. You are so ignorant that I can't convince you of anything. I guess ignorant is wrong. Ignorant and questioning is a virtue. Ignorant and sure of it is called stupidity.
Negligence is actionable, even if the person taking advantage of the negligence broke the law. A locksmith that "secures" your house by putting in locks that don't work is liable when someone breaks the law to burgle. One is criminally liable. The other is civilly liable.
No, they are not [fraud]. It's like a nickname.
Yup, incurably stupid. Next, you'll tell me that if I claim to be President George H W Bush on the phone with someone and request a donation to a fake charity, that it's not fraud because purposefully lying with the intent to deceive for profit isn't "fraud" it's just creative use of a nickname. After all, you should have demanded that I show you my ID over the phone. Go ahead, define fraud in a manner that doesn't include lying over CID to appear to be someone else in order to deceive for profit. You haven't. At best, you've just said that the government shouldn't protect people defrauded. But in that case, you entire point is irrelevant because your preferences as to whether fraud should be prosecuted is irrelevant to the question of given that fraud is illegal, should CID spoofing for fraudulent purposes be illegal.
I'm asking why we bother footing the bill for prosecuting trivialities as crimes.
Because you live in a democracy, and most people would like the government help enforce laws against fraud. You are the first person I've ever spoken to that thinks fraud should be legal. Why not assault too? After all, just hitting someone doesn't leave any lasting harm. And burglary is more honorable than fraud, because you don't have to lie and cheat to take someone's money, you just take it and if they didn't secure their house well enough, it's their own fault anyway, right? And rape, she was asking for it. And murder, after all most are committed by someone you know, and if you hung around with people like that you got what you deserved. All those petty crimes are silly, we shouldn't worry about them.
Learn to love Alaska
You are the first person I've ever spoken to that thinks fraud should be legal.
You are so fucking dumb. You're the first person I've met who's thinks I want the tautologically impossible, that fraud not be illegal.
You quoted it yourself, prosecuting trivialities as crimes.
Trivialities. Spoofing CID is a triviality because it's not meant to be a secure system.
You either think it is or isn't fraud.
I think we're wasting time and money making things fraud.
Next, you'll tell me that if I claim to be President George H W Bush on the phone with someone and request a donation to a fake charity, that it's not fraud because purposefully lying with the intent to deceive for profit isn't "fraud" it's just creative use of a nickname.
It's the defrauding of the charity that's the problem, not the phrase "my name is George Bush".
most people would like the government help enforce laws against fraud.
Most people also want the government not to throw money away on band-aid solutions to made-up problems.
It's our law. If we don't decide to make it fraud then it doesn't have to be illegal.
Negligence is actionable, even if the person taking advantage of the negligence broke the law. A locksmith that "secures" your house by putting in locks that don't work is liable when someone breaks the law to burgle.
Not when the government decrees set the acceptable standards. If cellphones can't be monitored (by fiat) why would a company bother providing extra protection? How could they be shown to be negligent? Demonstrating the problem, or even having equipment to do so, was illegal.
Similarly, a locksmith can only be sued if they failed to install a lock of normal quality, not if all locks of normal quality are easily defeated. If you ban lock-picks you can keep most people ignorant, but not safe.
And rape, she was asking for it.
You forgot to compare me to Hitler.
Ignorant and sure of it is called stupidity.
You mean like how you don't understand what I'm saying but are attacking it anyways?
So riddle me this, what would happen if i went to make a call from my cell phone to another number, but spoofed the caller ID, whose minutes am I then using?
Wow, you seriously have no idea how this stuff works, do you?
In Reason We Trust
You're the first person I've met who's thinks I want the tautologically impossible, that fraud not be illegal.
That's not tautologically impossible. It's as simple as repealing a law against the "triviality" of lying for gain. Then fraud will be legal. Do you not understand how laws work? Or do you not understand what fraud is? And you complain when I say your stance is to legalize fraud, yet you want to legalize CID spoofing, which is lying for gain. So you are either for the legalization of the triviality that is fraud, or you are for the illegality of CID spoofing. You can't redefine "fraud" to mean lying for personal gain, unless that lying is via use of the CID system.
It's our law. If we don't decide to make it fraud then it doesn't have to be illegal.
You have the cause and effect of definitions mixed up. CID spoofing *is* fraud. Whether you want fraud legal or illegal is what we can change. Fraud is not immutably illegal. That is, if we repeal all laws, fraud will become legal (along with everything else). It's illegal because there exists a law saying "fraud is illegal." When you strip away whether it's fake IDs or spoofed CID or such, your argument becomes "I want lying for gain to be illegal, but not lying for gain to be illegal." Your argument is contradictory and impossible. That's why it took me so long to understand what you were saying. You weren't arguing fraud should be legal, but that lying for gain shouldn't be fraud, when every dictionary on the planet lists lying for gain as the definition of fraud. However, even through force of law, you can't change the meaning of a word. You can only change what's legal or illegal. You want CID spoofing excluded from the definition of fraud. You might be able to pass a law making CID spoofing an exception to the laws against fraud, but you can't change the definition of the word. But then, I think you are so interested in proving me wrong that you don't even have any idea what you are talking about, other than you get to mutter "you are wrong" repeatedly.
Learn to love Alaska
What numbers are technically "authorised" is actually very hard to determine.. It might be relatively simple in a case like this where the destination number and voicemail system belong to the same telco, but consider for a moment.
Roaming - your number which belongs to one telco, now exists at a roaming partner in a different country.
Interconnects - if i use one telco and call a customer of a completely different telco, how is that call routed? it might be through third parties, how do you keep track of who owns what number?
Companies with multiple lines - at work we have lines from 3 different providers for resiliency, however when making an outbound call we always present our main switchboard number as the cli - the switchboard number only belongs to one of the 3 suppliers but we can announce it through all 3.
When i make calls from home via my voip phone (because its cheaper) i always present the cli of my mobile, so that people know who's calling and can call back even if i'm not at home.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
What numbers are technically "authorised" is actually very hard to determine.
They are trivial.
Roaming - your number which belongs to one telco, now exists at a roaming partner in a different country.
Compare the billing number to the CID. If they match, send it. If they don't, send the billing number. What's the issue?
Interconnects - if i use one telco and call a customer of a completely different telco, how is that call routed? it might be through third parties, how do you keep track of who owns what number?
At best, you are claiming that one telco can lie to another. Agreed. The last number sold from a telco to a non-telco is where it's done. It's not hard. It's not rocket science. If they are a telco, they will be registered with the state and the feds (not some guy with a T1 in his garage and a bank of modems that thinks he's a telco, but a real one). If the state regulatory agency doesn't register them, then you don't let them pass CID through your network without verification. Again, blindingly simple.
Companies with multiple lines - at work we have lines from 3 different providers for resiliency, however when making an outbound call we always present our main switchboard number as the cli - the switchboard number only belongs to one of the 3 suppliers but we can announce it through all 3.
You register the number with the telco. Again, not rocket science.
When i make calls from home via my voip phone (because its cheaper) i always present the cli of my mobile, so that people know who's calling and can call back even if i'm not at home.
There is no such thing as a VoIP phone that connects to the PSTN. You are using some provider for the PSTN line. Who owns that line? Get them authorized to pass your mobile number out, and poof, all is good.
Yes, it will make for more paperwork. But there's nothing in anything you said that would be technically challenging at all. It's just a matter of whether we want to lock down CID to where it's as secure as people already think it is, or whether we should just give up on CID being useful because any teen with a Droid and an ap (or any number of ways of doing it from a home phone, if the telco doesn't already block CID) can call from 1600 Pennsylvania Ave.
Learn to love Alaska
I'm talking about things that shouldn't be made into crimes. Your posts are nothing but a semantic game about the meaning of lie vs fraud. Fuck off with your pedantic bullshit.
You know what I was talking about and are totally unwilling to address the point.
CID changing is PART OF THE PROTOCOL, where clients can call themselves whatever they want, because the real information is lower in another untouchable field. It's like how ICQ gives you a user number but lets you change your nickname. To someone from another system it might seem like everyone can spoof each other until they know to use the number to identify people, not the name.
I understand your fears. To you this is as scary as if your bank started offering services on IRC to people by their nickname. You'd be panicked someone else could use the name AK_Marc and clear out your account. But instead of doing the reasonable thing and demanding your bank fix its system, require passwords, etc, you're demanding laws to fix it by making a federal nickname registry.
Wouldn't you rather the voicemail provider in this situation was required to read the REAL data, or ask for a password when it's not available, than be allowed to keep being insecure? As long as they demand laws to band-aid over their flaws and authoritarians like yourself rise to the call they'll never tackle their own problems. When it's illegal they'll pretend nobody can do it and when your voicemail gets listened to or goes missing they'll just say "that's impossible".
I'm talking about things that shouldn't be made into crimes. Your posts are nothing but a semantic game about the meaning of lie vs fraud. Fuck off with your pedantic bullshit.
Language is a semantic game. Either we use the words to communicate, or we don't. I'm trying to make sure we understand each other. You are using words in the opposite of their dictionary definitions, and it's confusing. You are the one playing semantic games. Lying for gain is fraud. Using CID spoofing is a lie. Using CID spoofing in the process of gaining something is fraud. That's how it works now. CID spoofing is fraud (as long as there's a gain). The only thing making CID spoofing illegal directly would do is to remove the proof of gain in order to prosecute the currently illegal practice of CID spoofing for gain.
You know what I was talking about and are totally unwilling to address the point.
No, I have no idea what you are talking about. I've repeatedly stated that I'm talking about "spoofing" being the common usage, not the technical usage, and you've apparently ignored all my clarifications and are arguing about something I've specifically said on multiple occasions I'm not talking about. And if that is the case, then I missed it because I figured that multiple explicit clarifications would clear that up.
CID changing is PART OF THE PROTOCOL, where clients can call themselves whatever they want, because the real information is lower in another untouchable field. It's like how ICQ gives you a user number but lets you change your nickname. To someone from another system it might seem like everyone can spoof each other until they know to use the number to identify people, not the name.
That's inaccurate. There's nothing that lets a home user on a generic residential line to know the ANI. It can't be known, so the *only* thing they see is the nickname and the "real information" is *not* on a lower level delivered to the residential line. It isn't there. There aren't two pieces of information delivered, as you assert. You are 100% wrong about that, and everything else. You *can't* know the ANI as a residential home user. That you assert so indicates you have no knowledge of how things work.
I understand your fears. To you this is as scary as if your bank started offering services on IRC to people by their nickname. You'd be panicked someone else could use the name AK_Marc and clear out your account. But instead of doing the reasonable thing and demanding your bank fix its system, require passwords, etc, you're demanding laws to fix it by making a federal nickname registry.
I have no fear. But I have the realistic knowledge that lying to cheat people is illegal, and spoofing CID is used as a lie to cheat people. That's currently illegal. Making CID spoofing illegal will have just a tiny little change in proof of gain for those committing fraud with CID. Why do you think fraud should be legal?
Wouldn't you rather the voicemail provider in this situation was required to read the REAL data, or ask for a password when it's not available, than be allowed to keep being insecure?
And you accuse me of rhetorical games. You invent a false dichotomy and then assault some strawman. I didn't say anything that contradicts your statement, and your statement is unrelated to whether lying for gain is or isn't illegal.
As long as they demand laws to band-aid over their flaws and authoritarians like yourself rise to the call they'll never tackle their own problems.
Fraud is illegal. Do you think that lying for gain (fraud) should or shouldn't be illegal?
When it's illegal they'll pretend nobody can do it and when your voicemail gets listened to or goes missing they'll just say "that's impossible".
Again, non sequitur. I'm not speaking as to what's good security policy. I'm speaking as to what is illegal. Fraud is illegal. Lying about what number you are calling from fo
Learn to love Alaska
That's inaccurate. There's nothing that lets a home user on a generic residential line to know the ANI. You are 100% wrong about that, and everything else.
I didn't say there was. I said:
CID changing is PART OF THE PROTOCOL
That the equipment to set it is so rare you haven't heard of it isn't my problem.
You're a fucking imbecile. Learn to read.
the *only* thing they see is the nickname and the "real information" is *not* on a lower level delivered to the residential line.
No, it's not there on the service you use for a residential line. That's one of the reasons it's obsolete.
I've repeatedly stated that I'm talking about "spoofing" being the common usage, not the technical usage, and you've apparently ignored all my clarifications
You want to make the simple action of a user setting the CID information a criminal act regardless of the circumstances.
Fraud already is against the law, even if it includes setting false CID information.
No, I have no idea what you are talking about.
Bullshit. You answered it above. I'm saying this is a technical issue and is working as intended.
You know full well what I'm trying to discuss and you play definition games.
Language is a semantic game.
Fuck off. You're the one trying to hammer what I say into your tiny little holes. If you didn't insist so hard about your one definition of fraud being the only one and actually tried to discuss the issue I was raising you could have skipped the last few moves in your little semantic game.
I have no fear. But I have the realistic knowledge that lying to cheat people is illegal, and spoofing CID is used as a lie to cheat people. That's currently illegal.
You're running to ban something that you already admit is banned.
Making CID spoofing illegal will have just a tiny little change in proof of gain for those committing fraud with CID.
You recognize it'll cause at absolute best a tiny little change for the bad guys, and yet you're still demanding it be forbidden.
And you accuse me of rhetorical games. You invent a false dichotomy and then assault some strawman.
Why do you think fraud should be legal?
You're the one trying to put words in my mouth. And blaming me for it while doing it.
You're either delusional or a liar.
and your statement is unrelated to whether lying for gain is or isn't illegal.
Did you ever stop to consider why?
It wasn't the conversation I was having. You keep trying to force me to answer crazy McCarthy-esqe questions as if it could have any influence on the technical conversation at hand.
But you are arguing that because they have locks on doors, trespassing should be legal, right?
The law against trespassing is what keeps people from trespassing. We don't need a law against touching door-knobs.
To use your doorknob analogy, you want to forbid opening doors without authorization. A noble, but imbecilic, goal. The only effect it could have would be to decrease security by encouraging people to trust the law to keep them safe. Sure, a criminal who pursued them through an unlocked door could face a higher penalty for doing so but the victim would be dead/etc by then.
Again, non sequitur. I'm not speaking as to what's good security policy.
No, again with you trying to ignore my point in this thread, which is that political band-aids for technological problems are failures.
I am speaking as to what's a good security policy. To the degree that you are not, stop.
All I'll say about that is trespass is illegal and they have locks anyway.
Yes, because they aren't as stupid are you are. Locks keep people out, laws punish them later.
You want to make the simple action of a user setting the CID information a criminal act regardless of the circumstances.
I have never said that. That assertion, unrelated to my claims, would be the issue of why you objecting.
It's simple. Do you think fraud should be illegal? Is lying for personal gain at someone else's expense fraud? Is passing untrue CID with the intent of deceiving someone a lie?
Answer those, and leave the insane assertions of what you think I really mean that's in direct contradiction to what I actually say. Go on, I dare you, actually answer the questions I ask regarding fraud. But no, you won't. You think lying for gain is ok, as long as the lie is deceitful CID. Or so you've said, as you said fraud should be illegal, but that no use of CID should ever be illegal, right? Correct me if I'm wrong. It's so hard to get you to say anything other than your rambling rants about how I'm wrong that it's hard to figure out what you actually think so I can address that.
To use your doorknob analogy, you want to forbid opening doors without authorization.
That's already the case. Breaking and Entering is illegal. "Breaking" is opening an unlocked door. In some places, just breaking is illegal. The laws you assert are absurd are already on the books. That just indicates to me that you have no connection to reality.
Learn to love Alaska
To use your doorknob analogy, you want to forbid opening doors without authorization.
That's already the case.
No, it isn't. Opening an unlocked door to go through it can be against some laws in some cases. Simply turning a knob or swinging a piece of wood is not. For instance, opening an "employees only" door to call for help would not be trespassing.
The laws you assert are absurd are already on the books. That just indicates to me that you have no connection to reality.
Yes, for instance it is illegal to own a device capable of listening to cellular calls, despite that this makes it harder for the victims and easier for the attackers. It's fucking absurd.
Is passing untrue CID with the intent of deceiving someone a lie?
Wearing a fake name-tag as part of a crime is a lie but you don't see the criminalization of name-tag vendors.
If your concern is that people are committing a crime, relax. It's probably a crime without the CID spoofing, and the spoofing is probably evidence of intent. It doesn't need to be illegal, itself, for criminals to not be able to exploit it.
Wearing a fake name-tag as part of a crime is a lie but you don't see the criminalization of name-tag vendors.
So you will never answer any yes/no question with a yes or a no. Instead, you ramble on about some tangent or such. Got it. The sky is blue. See, that proves your assertions all wrong. I like that game.
Learn to love Alaska
You're obviously incapable of asking an unloaded yes/no question, McCarthy.
You can't even define fraud. And yes, the questions are loaded, they make you look like an idiot who supports criminals. If I asked them to someone on the street, they'd answer them and move on, thinking that lying for profit is a bad thing. However, you obviously don't have that opinion. You are so interested in protecting your pet idea of lying for profit being a good thing that you won't listen to what anyone else has to say.
Learn to love Alaska
You are so interested in protecting your pet idea of lying for profit being a good thing that you won't listen to what anyone else has to say.
Are you on your meds? Because if not you must be a fucking imbecile.
Much Earlier:
Again, you are defending the people committing fraud. Why?
No, I'm advocating for a state of reality where we would have encrypted cellphones because the government hadn't just mandated that listening to calls is illegal.
I'm still just saying we shouldn't waste our money passing redundant and pointless laws that only leave us with a huge bill and a false sense of security. I don't know what kind of retard you'd have to be to think that protects criminals.
I know you're only acting from fear, but it's really your actions that help criminals. Prohibition was big business. Laws against cell-phone scanners just funded the smugglers who brought in foreign radios. Enforcement cost a fortune, having to buy crippled radios for more money really stunk, and nobody was any safer.
To stop fraud you have to prevent and punish fraud, the whole affair, not wearing a fake name tag. I know it's not the quick band-aid fix you wanted but at least it's not delusional.
And yes, the questions are loaded, they make you look like an idiot who supports criminals.
No, they make you look illiterate, and like a real asshole.
If I asked them to someone on the street, they'd answer them and move on, thinking that lying for profit is a bad thing.
If you asked your question to someone on the street they'd notice your awkward wording and the forced yes/no nature of it and they'd realize you're a kook pushing his special interest. I imagine they'd look for the camera.
I'm still just saying we shouldn't waste our money passing redundant and pointless laws that only leave us with a huge bill and a false sense of security.
Just because you bring up cell phones doesn't equate the two. With the cell phones, there is no way to know who is listening. With CID, it's obvious. With cell phones, you assert that the law prevents people from protecting themselves, but you assert nothing of the kind with CID.
So go ahead and explain, how does making CID spoofing illegal harm anyone? What's the "bill" associated with it? I understand your argument about a false sense of security, but that's the only kind we have. So whining about that is stupid. It would be so low down on the list, with most every law enforcement the government does now (terrorism, the war on drugs, three-strike laws, etc.) that one that makes it easier to prosecute those committing fraud is stupid. Not to mention, I believe you to be 100% wrong. People currently assume CID to be 100% secure. So working to make it more secure doesn't promote a false sense of security. People already have it, so making it more secure provides a net increase in security, not a decrease as you assert.
Learn to love Alaska
This problem isn't just confined to AT&T. The last time I checked Verizon did too. Described here:(http://sharpesecurity.blogspot.com/2010/02/espionage-on-budget.html).