"Well, it is exactly those policies, that made them a pariah of the world"
Iran used to be a friendly westernised, secular, relatively neutral country.
It got a bit too friendly with russia, so the CIA sponsored a coup and put a young colonel named Palavi in as Shah.
The Shah then proceeded to rule with an iron fist and stomp all over religion - who got good at clandestine organising for survival purposes.
After 30 years people got sick of the brutality and had a revolution, organised by the religious groups as they had a lot of experience at it. Unfortunately they proved no better than what had gone before, HOWEVER they were "home grown" despots, rather than "despots put in by the west"
Iran's "attitude" is mostly sabre rattling because it generates a response which can be used as a bogeyman to keep their own population under a tight leash. If western powers simply went "yeah, right. Whatever", the Iranian leadership would lose credibility and power in a short period of time.
That won't happen, simply because it's _convenient_ for western powers to have a bogeyman of their own to keep their populations on a leash and the US federal govt on the war footing it's been flailing about trying to keep going since the end of the cold war (as soon as it steps down from that, it must devolve power back to the individual states). Iran is providing the Bogeyman.
It was western interference with an elected democratic govt and support of a vicious despot which eventually led to religious nutters getting control in Iran and western interference which then caused ongoing economic problems. Do you think the population needs much encouragement to spout anti-western comments? (FWIW the prime reason the religious nutters are still in control is because they have control of the military. Iran's young people have made things pretty clear about the way they feel on a number of occasions as as they comprise half the population, they will be a force to be reckoned with in the next couple of decades.)
"a ton of companies do fake surveys which they throw away, just so they can call you without falling afoul of the law. Then, during the call, they ask if it would be alright to call you again."
This kind of case is specifically covered under UK (and most EU) laws. Surveys cannot be used as a pretext to gain permission for a marketing call.
There are a number of recording apps for android and iphones which are handy to prove marketing claims.
I know some states have issues about two party calling, but sales calls are seldom intra-state and I can see an outfit which used two-party laws to get evidence thrown out which showed them making illegal calls getting extra special attention from the FCC.
In the EU, there's a specific exemption for recording if you are using it to document criminal/illegal activity which goes over and above the one-party recording rules that allow anyone to make recordings for their personal use.
"Now i tell them to "Fuck off", be abusive and swear my heart out."
I work on upsetting them and getting _them_ to swear at me. That leads to being able to lay complaints under section 126 of the UK telecommunications act (threatening calls, etc)
If the UK police can use the act to prosecute and get convictions over off-colour jokes in twitter, I see zero reason not to use it against telemarketers.
"Sure, but the telco should still sanity check the ANI provided to make sure it's a number permitted over that PRI "
This is _exactly_ what UK telcos started doing about 6-8 years ago, after years of claiming it was impossible.
Background: Several 0900 pranklines were setup with the ability to set whatever caller-ID the caller wanted and were used for nuisance calling (including at least one SWATing incident). During heated internal debates about the legality of this, someone leaked programming documents showing the switches had filtering as a built in feature. Smaller telcos still don't filter, but the majors do filter what comes out of PRIs to prevent recurrances.
Even VOIP providers can filter, if they see a need (legislation compelling telcos to filter outbound CLID/ANI data would go a long way towards solving spoofing issues)
"In the USA, you can't tell the difference between a mobile number and a landline number by looking at it,"
That's not always true.
There are numbering ranges ("area codes") which are dedicated to cellular use and the caller usually pays (free incoming) for those.
The issue about mobile owners paying for incoming is because the original cellular allocations gave half the band to the local wireline incumbent. They had no incentive to provide a separate area code for mobiles, so wireside and wireless calls were in the same code, meaning that callers had no idea if they were calling mobile phones.
(On top of this, if you roamed to another town, you would be hit with horriffic roaming fees for merely being connected, whether any calls were made or not. The whole mess was an accountant's wet dream.)
It's not so much of a big issue these days as people buy blocks of minutes and incoming calls are taken from those first.
That model still persists to some degree, but dedicated wireless number prefixes are in increasing use USA-wide and mixed-use area codes comprise a declining percentage of mobile phones.
(BTW, be very careful with assumptions about "mobile numbers" - in the UK 070 is a historic premium rate range and numbers in this range between GBP 0.5-1.5 per minute to call. It's common for scammers to exploit these numbers as most consumers assume "07 = mobile")
"That doesn't help much when the caller is in another jurisdiction such as India."
Sure it does.
The TCPA allows you to go after the marketing company which hired the caller AND the company they're marketing for, so just let them give over enough information to identify the company concerned (follow the money) and then you'll probably be able to cut a deal with them to identify the USA company they hired to do the marketing.
As for repeated calls, that's a straightforward harrassment issue and you can use criminal charges to deal with that as well as the TCPA's civil paths.
"They say they issue fines of 1.5 million GBP last year -that's nothing."
They also go silent when asked how much they actually _collected_
The UK phone abuse laws are seldom enforced and they specifically disempower endusers. There is _no_ right of private action as there is with the TCPA, and the sole regulator is deliberately restricted in staff levels so they can only deal with a tiny fraction of 1% of complaints.
"If the company had a history of never patching vulnerabilities or even being spotty and refusing to support new products, then it makes sense to out them immediately."
Most bugs are trivially avoidable. MS has a sordid history of producing utterly buggy code with security tacked on as an afterthought.
Just because a security researcher has reported a bug doesn't mean the bad guys aren't already using them. 0-day means it was discovered because a badguy triggered an alert. I've run into a number of reports/fixes (particularly on webservers) where looking at historic logs showed that attempts to use the exploit were made long before the researcher found/reported the bug.
Bad guys have a higher level of motivation to find and exploit bugs than whitehats - and an even higher level of motivation to try and not be deteceted doing so.
> Eventually, some jackass will say "Shoot the messenger! Its their fault bad guys can exploit our insecure product!"
Yup and this is a common tactic. More flamewars have erupted over publishing bugs than the actual bugs themselves.
MS has historically been one of the worst offenders when bug-reporters have cooperated with them and not publically disclosed. The record between "reported" and "fixed" is more than two years.
> "90 days, or DIE!!!" Rules should have exceptions
Having been in this business for more than 30 years, I disagree.
Having a fixed deadline to get their shit together not only focusses a company's attention on fixing the bugs, it also focusses their attention in not releasing bug-ridden code in the first place.
Many years ago, as a DNS admin I discovered that BIND interprets IP addresses in the configuration files with leading 0s as octal.
This is an explicit violation of the RFC (which states that IP addresses are dotted decimals) and as such I posted about it on Bugtraq
Instead of it being fixed, there was a flamewar. Several people (including Bind's author, who was also the RFC author) pointed out that 0xNNN also works and claimed that "it's supposed to work this way".
When I pointed out the RFC paragraph and stated that either the RFC or the code needed to be altered so that everything was consistent, the response was a flamefest.
Not long after that, spammers and others started posting URLS of long decimals, binary, octal and various other formats.
That flaw is STILL in bind, and STILL catching out DNS admins who try 0-padding their config files for readability - and the RFC has never been altered.
Or 11 more sets of programmers to go over the existing code.
The shallowness issue isn't to do with the number of eyes using the code, it's the number of eyes looking at the internals.
The vast majority of "legacy code" has _never_ been audited. Everyone assumes "Someone else already did this. It's safe"
I've had that exact argument raised by managers (many of whom are computing greybeards who should know better) as reasons for sticking with legacy code instead of moving to newer packages. The stupid thing is that they continue to raise this argument and be proven wrong (the glaring X11 bugs being a classic case - they fell out within minutes of someone going "I wonder if?" and hitting the source with a basic static analyser)
The opensource code base is enormous but even a couple of small projects systematically looking for the low hanging fruit would be better than status quo. You can pretty much guarantee that blackhats are already doing this but they have no interest in publicising the results.
"I had a drive fail once, and didn't have backups. The drive failed in such a way that I was quoted $2,000 for an attempt to recover the data, and no guarantee the procedure would work. "
$2000 is the standard price. It happens semi-regularly here despite warnings to researchers that if they fail to allow backups to run, they're liable for recovery costs.
In most non-servo board failures, it's a case of loss of the servo track and recovery outfits get the drive working by tweaking arm position until it recaptures the track (there are a few videos on this as well as showing how cover screw torque can be critical to reading - in some cases simply retorquing the cover is apparently enough to get the drive running again)
The Peter Gutman paper which talks about data recovery on hard drives by reading track edges and relying on imprecise positioning was performed on 20Mb MFM and RLL stepper motor hard drives (the kind which needed to be "parked" before switching off. These _are_ serious museum pieces which always had a bit of mechanical "slop" in the gearing/steel band mechanisms which actually drove the head position.
All drives greater than 200Mb use variable sector geometry, so track layout is nowhere near as predictable and beyond that point the track density is such that it could take _years_ to recover one drive, if it's possible at all.
Voice coil hard drives use continuous feedback mechanisms to ensure the heads are centred, resulting in a much higher positioning accuracy than can ever be obtained from stepper-motor-based systems.
Gutmann himself wrote a followup several years later stating that the DoD overwrite procedure was largely irrelevant to voice-coil based drives and that a single security wipe was more than sufficient in any drive manufactured past about 1996. He was sick of it being used as some kind of voodoo when it didn't matter anymore.
Slashdot Mirror
Dish have been spamming various addresses of mine for over a decade.
They're unrepentant recidivists and deserve to be taken out of business.
Marketers aren't going to call you for a non-existant company. All you have to do is let them talk and they'll tell you who they're selling for.
At that point you file against that company. The TCPA covers that quite nicely.
"Well, it is exactly those policies, that made them a pariah of the world"
Iran used to be a friendly westernised, secular, relatively neutral country.
It got a bit too friendly with russia, so the CIA sponsored a coup and put a young colonel named Palavi in as Shah.
The Shah then proceeded to rule with an iron fist and stomp all over religion - who got good at clandestine organising for survival purposes.
After 30 years people got sick of the brutality and had a revolution, organised by the religious groups as they had a lot of experience at it. Unfortunately they proved no better than what had gone before, HOWEVER they were "home grown" despots, rather than "despots put in by the west"
Iran's "attitude" is mostly sabre rattling because it generates a response which can be used as a bogeyman to keep their own population under a tight leash. If western powers simply went "yeah, right. Whatever", the Iranian leadership would lose credibility and power in a short period of time.
That won't happen, simply because it's _convenient_ for western powers to have a bogeyman of their own to keep their populations on a leash and the US federal govt on the war footing it's been flailing about trying to keep going since the end of the cold war (as soon as it steps down from that, it must devolve power back to the individual states). Iran is providing the Bogeyman.
It was western interference with an elected democratic govt and support of a vicious despot which eventually led to religious nutters getting control in Iran and western interference which then caused ongoing economic problems. Do you think the population needs much encouragement to spout anti-western comments? (FWIW the prime reason the religious nutters are still in control is because they have control of the military. Iran's young people have made things pretty clear about the way they feel on a number of occasions as as they comprise half the population, they will be a force to be reckoned with in the next couple of decades.)
"They were not cooperative or open about what they were doing though, which would have been part of being above board."
As soon as the USA threatened to play hardball, Iraq cooperated. The USA invaded anyway.
"I'm not sure if these factors make a measurable difference in tire wear, but it's plausible."
EVs are HEAVY. So far all the indications I've seen is that the tires wear faster as a result.
"a ton of companies do fake surveys which they throw away, just so they can call you without falling afoul of the law. Then, during the call, they ask if it would be alright to call you again."
This kind of case is specifically covered under UK (and most EU) laws. Surveys cannot be used as a pretext to gain permission for a marketing call.
"53 Calls = Harassment and should equal jailtime"
there, FTFY.
There are a number of recording apps for android and iphones which are handy to prove marketing claims.
I know some states have issues about two party calling, but sales calls are seldom intra-state and I can see an outfit which used two-party laws to get evidence thrown out which showed them making illegal calls getting extra special attention from the FCC.
In the EU, there's a specific exemption for recording if you are using it to document criminal/illegal activity which goes over and above the one-party recording rules that allow anyone to make recordings for their personal use.
As soon as they launched into the spiel, it's a marketing call and wrong number claims no longer hold water.
The same thing applies to "surveys" which turn into sales calls or are used as a pretext to get a sales call.
"Now i tell them to "Fuck off", be abusive and swear my heart out."
I work on upsetting them and getting _them_ to swear at me. That leads to being able to lay complaints under section 126 of the UK telecommunications act (threatening calls, etc)
If the UK police can use the act to prosecute and get convictions over off-colour jokes in twitter, I see zero reason not to use it against telemarketers.
"Sure, but the telco should still sanity check the ANI provided to make sure it's a number permitted over that PRI "
This is _exactly_ what UK telcos started doing about 6-8 years ago, after years of claiming it was impossible.
Background: Several 0900 pranklines were setup with the ability to set whatever caller-ID the caller wanted and were used for nuisance calling (including at least one SWATing incident). During heated internal debates about the legality of this, someone leaked programming documents showing the switches had filtering as a built in feature. Smaller telcos still don't filter, but the majors do filter what comes out of PRIs to prevent recurrances.
Even VOIP providers can filter, if they see a need (legislation compelling telcos to filter outbound CLID/ANI data would go a long way towards solving spoofing issues)
Standard practice for calling from a previously unknown number is often "make 1-2 one ring calls, THEN let it ring for a longer period"
"In the USA, you can't tell the difference between a mobile number and a landline number by looking at it,"
That's not always true.
There are numbering ranges ("area codes") which are dedicated to cellular use and the caller usually pays (free incoming) for those.
The issue about mobile owners paying for incoming is because the original cellular allocations gave half the band to the local wireline incumbent. They had no incentive to provide a separate area code for mobiles, so wireside and wireless calls were in the same code, meaning that callers had no idea if they were calling mobile phones.
(On top of this, if you roamed to another town, you would be hit with horriffic roaming fees for merely being connected, whether any calls were made or not. The whole mess was an accountant's wet dream.)
It's not so much of a big issue these days as people buy blocks of minutes and incoming calls are taken from those first.
That model still persists to some degree, but dedicated wireless number prefixes are in increasing use USA-wide and mixed-use area codes comprise a declining percentage of mobile phones.
(BTW, be very careful with assumptions about "mobile numbers" - in the UK 070 is a historic premium rate range and numbers in this range between GBP 0.5-1.5 per minute to call. It's common for scammers to exploit these numbers as most consumers assume "07 = mobile")
"That doesn't help much when the caller is in another jurisdiction such as India."
Sure it does.
The TCPA allows you to go after the marketing company which hired the caller AND the company they're marketing for, so just let them give over enough information to identify the company concerned (follow the money) and then you'll probably be able to cut a deal with them to identify the USA company they hired to do the marketing.
As for repeated calls, that's a straightforward harrassment issue and you can use criminal charges to deal with that as well as the TCPA's civil paths.
"They say they issue fines of 1.5 million GBP last year -that's nothing."
They also go silent when asked how much they actually _collected_
The UK phone abuse laws are seldom enforced and they specifically disempower endusers. There is _no_ right of private action as there is with the TCPA, and the sole regulator is deliberately restricted in staff levels so they can only deal with a tiny fraction of 1% of complaints.
"If the company had a history of never patching vulnerabilities or even being spotty and refusing to support new products, then it makes sense to out them immediately."
Most bugs are trivially avoidable. MS has a sordid history of producing utterly buggy code with security tacked on as an afterthought.
Just because a security researcher has reported a bug doesn't mean the bad guys aren't already using them.
0-day means it was discovered because a badguy triggered an alert.
I've run into a number of reports/fixes (particularly on webservers) where looking at historic logs showed that attempts to use the exploit were made long before the researcher found/reported the bug.
Bad guys have a higher level of motivation to find and exploit bugs than whitehats - and an even higher level of motivation to try and not be deteceted doing so.
> Eventually, some jackass will say "Shoot the messenger! Its their fault bad guys can exploit our insecure product!"
Yup and this is a common tactic. More flamewars have erupted over publishing bugs than the actual bugs themselves.
MS has historically been one of the worst offenders when bug-reporters have cooperated with them and not publically disclosed. The record between "reported" and "fixed" is more than two years.
> across an impossibly large array of hardware configurations
Almost all the bugs so far reported are architecture-agnostic.
The issue is (as always) that MS philosophy has always been "Ship it now, fix bugs later"
> "90 days, or DIE!!!" Rules should have exceptions
Having been in this business for more than 30 years, I disagree.
Having a fixed deadline to get their shit together not only focusses a company's attention on fixing the bugs, it also focusses their attention in not releasing bug-ridden code in the first place.
Any amount of water in a civil nuclear reactor is "too much water".
LFTRs ftw.
Same thing applies in the EU, even for service contracts.
There's also a strange mentality at work.
Many years ago, as a DNS admin I discovered that BIND interprets IP addresses in the configuration files with leading 0s as octal.
This is an explicit violation of the RFC (which states that IP addresses are dotted decimals) and as such I posted about it on Bugtraq
Instead of it being fixed, there was a flamewar. Several people (including Bind's author, who was also the RFC author) pointed out that 0xNNN also works and claimed that "it's supposed to work this way".
When I pointed out the RFC paragraph and stated that either the RFC or the code needed to be altered so that everything was consistent, the response was a flamefest.
Not long after that, spammers and others started posting URLS of long decimals, binary, octal and various other formats.
That flaw is STILL in bind, and STILL catching out DNS admins who try 0-padding their config files for readability - and the RFC has never been altered.
Or 11 more sets of programmers to go over the existing code.
The shallowness issue isn't to do with the number of eyes using the code, it's the number of eyes looking at the internals.
The vast majority of "legacy code" has _never_ been audited. Everyone assumes "Someone else already did this. It's safe"
I've had that exact argument raised by managers (many of whom are computing greybeards who should know better) as reasons for sticking with legacy code instead of moving to newer packages. The stupid thing is that they continue to raise this argument and be proven wrong (the glaring X11 bugs being a classic case - they fell out within minutes of someone going "I wonder if?" and hitting the source with a basic static analyser)
The opensource code base is enormous but even a couple of small projects systematically looking for the low hanging fruit would be better than status quo. You can pretty much guarantee that blackhats are already doing this but they have no interest in publicising the results.
"I had a drive fail once, and didn't have backups. The drive failed in such a way that I was quoted $2,000 for an attempt to recover the data, and no guarantee the procedure would work. "
$2000 is the standard price. It happens semi-regularly here despite warnings to researchers that if they fail to allow backups to run, they're liable for recovery costs.
In most non-servo board failures, it's a case of loss of the servo track and recovery outfits get the drive working by tweaking arm position until it recaptures the track (there are a few videos on this as well as showing how cover screw torque can be critical to reading - in some cases simply retorquing the cover is apparently enough to get the drive running again)
The Peter Gutman paper which talks about data recovery on hard drives by reading track edges and relying on imprecise positioning was performed on 20Mb MFM and RLL stepper motor hard drives (the kind which needed to be "parked" before switching off. These _are_ serious museum pieces which always had a bit of mechanical "slop" in the gearing/steel band mechanisms which actually drove the head position.
All drives greater than 200Mb use variable sector geometry, so track layout is nowhere near as predictable and beyond that point the track density is such that it could take _years_ to recover one drive, if it's possible at all.
Voice coil hard drives use continuous feedback mechanisms to ensure the heads are centred, resulting in a much higher positioning accuracy than can ever be obtained from stepper-motor-based systems.
Gutmann himself wrote a followup several years later stating that the DoD overwrite procedure was largely irrelevant to voice-coil based drives and that a single security wipe was more than sufficient in any drive manufactured past about 1996. He was sick of it being used as some kind of voodoo when it didn't matter anymore.