lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 1 Oct 2006 12:28:41 -0500
From: "J. Oquendo" <sil@...iltrated.net>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Truths in "Truth in Caller ID Act"

So the United States government wants to pass the "Truth in Caller ID" act. Humorously it will do little do deter criminals from spoofing their caller ID and scamming innocent victims. Here is the rule/law followed by why it will fail:

"It shall be unlawful for any person within the United States, in connection with any telecommunications service or VOIP service, to cause any caller identification service to transmit misleading or inaccurate caller identification information, with the intent to defraud or cause harm."

Re-read it a few times and let some common sense kick in. "unlawful for any person within the United States, in connection with any telecommunications service or VOIP service, to cause any caller identification service to transmit misleading or inaccurate caller identification information" What in this bill exactly deters someone from abroad to continue their activities? Firstly they're not bound by U.S. laws, secondly if their servers are abroad those servers are in their lawful means to do what is legally appropriate for their location.

Now argumentatively how will the United States seek to prosecute say a telemarketer from using a service abroad to traverse back into the U.S.? Let's re-read the letter of the law again shall we? "unlawful for any person within the United States, etc., etc., to cause any caller identification, etc., etc." So how does caller ID change, is it cause by the telemarketer, the server sending out the caller ID information, or the provider of that server. Obviously the telemarketer led the server to change the information, but ultimately the provider dished out the number, hence the provider being the true culprit.

The more I read about this law/rule/prohibition, the more I scratch my head at it.

So let's now see how the government intends on tracking someone shall we?

CallerIDBusterFoobar.com is a server located in Moscow. They're hosted there, their provider is their, their uplink is in Russia, etc. Joe Smith is a scumbag thief interested in stealing the credit card information of a "few good men". He lives in Boondock Arizona and spends much too much time thinking up scams. He signs up for an account at CallerIDBusterFoobar.com, assigns 800-DISCOVER as his caller ID and proceeds to scam countless people out of their information. With this information he sets up fradulent drops and pickups somewhere in Moldovia.

How will U.S. authorities track him down? They won't. They don't have access to the servers in Russia for starters, secondly how many people are reporting these crimes. Alright, let's be fair for a moment, someone at Discover "discovers" that the call actually originated from Russia. So what? Unless the foreign country is cooperating with U.S. authorities, there is little the United States government with all their so called legislation would be able to do.

Now let's take it a step further, Joe Smith decided to use Privoxy with a WiFi phone from an open network. He managed to steal a VoIP account while scanning a class A for port 5060 and leveraged someone's information. He always has used Tor and Privoxy on his personal distro of Linux on a CD so he knows that there will be no residue from his crimes due to him using this CD on this machine so he is scott free technologically.

How does the United States intend on stopping him again? I get it now, since the United States government in all of their mighty wisdom is passing this bill it is only obvious that criminals are going to respect U.S. laws, I mean after all those in government follow their own laws so why shouldn't a criminal.

Comments, criticism?

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil infiltrated . net http://www.infiltrated.net

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists