Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls
https://www.fcc.gov/document/chairman-pai-proposes-mandating-stirshaken-comb... Federal Communications Commission Chairman Ajit Pai today proposed a major step forward to further the FCC’s efforts to protect consumers against spoofed robocalls: new rules requiring implementation of caller ID authentication using socalled “STIR/SHAKEN” technological standards. STIR/SHAKEN enables phone companies to verify the accuracy of caller ID information that is transmitted with a call. Industry-wide implementation would reduce the effectiveness of illegal spoofing, allow law enforcement to identify bad actors more easily, and help phone companies identify calls with illegally spoofed caller ID information before those calls reach their subscribers. The FCC will vote on these new rules during its Open Meeting on March 31.
On 3/6/20 2:34 PM, Sean Donelan wrote:
https://www.fcc.gov/document/chairman-pai-proposes-mandating-stirshaken-comb...
Federal Communications Commission Chairman Ajit Pai today proposed a major step forward to further the FCC’s efforts to protect consumers against spoofed robocalls: new rules requiring implementation of caller ID authentication using socalled “STIR/SHAKEN” technological standards. STIR/SHAKEN enables phone companies to verify the accuracy of caller ID information that is transmitted with a call. Industry-wide implementation would reduce the effectiveness of illegal spoofing, allow law enforcement to identify bad actors more easily, and help phone companies identify calls with illegally spoofed caller ID information before those calls reach their subscribers.
The FCC will vote on these new rules during its Open Meeting on March 31.
In my opinion, STIR/SHAKEN is solving the wrong problem. e.164 addresses are dinosaurs and pretty irrelevant for identity. Cryptographic protection of the From: address in SIP would be a lot more sane because we already know how to do that. Since it's basically an all SIP world these days, we should just retire e.164'isms and move on. Mike
Good luck supporting it on legacy TDM switches. I know work-around exist, but nobody wants to invest any money in modifying legacy gear. At 05:34 PM 06/03/2020, Sean Donelan wrote:
https://www.fcc.gov/document/chairman-pai-proposes-mandating-stirshaken-comb...
Federal Communications Commission Chairman Ajit Pai today proposed a major step forward to further the FCCâs efforts to protect consumers against spoofed robocalls: new rules requiring implementation of caller ID authentication using socalled âSTIR/SHAKENâ technological standards. STIR/SHAKEN enables phone companies to verify the accuracy of caller ID information that is transmitted with a call. Industry-wide implementation would reduce the effectiveness of illegal spoofing, allow law enforcement to identify bad actors more easily, and help phone companies identify calls with illegally spoofed caller ID information before those calls reach their subscribers.
The FCC will vote on these new rules during its Open Meeting on March 31.
-- Clayton Zekelman Managed Network Systems Inc. (MNSi) 3363 Tecumseh Rd. E Windsor, Ontario N8W 1H4 tel. 519-985-8410 fax. 519-985-8409
On March 6, 2020 at 17:34 sean@donelan.com (Sean Donelan) wrote:
https://www.fcc.gov/document/chairman-pai-proposes-mandating-stirshaken-comb...
Federal Communications Commission Chairman Ajit Pai today proposed a major step forward to further the FCC’s efforts to protect consumers against spoofed robocalls: new rules requiring implementation of caller ID authentication using socalled “STIR/SHAKEN” technological standards. STIR/SHAKEN enables phone companies to verify the accuracy of caller ID information that is transmitted with a call. Industry-wide implementation would reduce the effectiveness of illegal spoofing, allow law enforcement to identify bad actors more easily, and help phone companies identify calls with illegally spoofed caller ID information before those calls reach their subscribers.
The FCC will vote on these new rules during its Open Meeting on March 31.
Why don't they just ask the phone companies who are billing these robocallers who they are and we can arrest them. [ And if your urge is to jump on your keyboard and deny the telcos know exactly who they are please ask yourself if you really know or are you just defending some world view based on nothing really other than you're uncomfortable with such treachery. Last time we went around this several weeks ago people who actually truly have worked in the telco biz on exactly this sort of thing responded yes, exactly, the telcos know just who they are and do indeed bill them for those robocalls. ] -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Fri, 2020-03-06 at 18:37 -0500, bzs@theworld.com wrote:
Why don't they just ask the phone companies who are billing these robocallers who they are and we can arrest them.
Exactly. I have always maintained that if my phone number were one of those "premium" numbers (1-976 -- maybe I am dating myself but you know what I mean -- where calls to it were billed at $5/min), I am sure that my telco (the one providing me the premium number on my the phone line that runs into my location) would always know exactly who to send the bill to for every call that called my number, including robocallers[1]. So, if my telco can bill the callers for those premium calls, they surely know who they are, or at least know where they are sending the bill and getting payment from. But who are we kidding? The telcos have been making money hand over fist with robocalls and are not really all that motivated to dry up that revenue stream. Regulation (as much as I hate it in general) is the only solution. Making the allowing of robocalls more expensive than preventing them is the only solution. Whether that is through fines as a result of regulation or otherwise. Cheers, b. [1] I remember hearing a story of a guy, in the UK I think, that got a premium number and then printed business cards with it on it and then ran around a trade show handing out the cards. That seems kind of shady, but the idea of getting a premium number and having it criminally sold to telemarketers, phishers and scammers makes me giddy.
On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell <brian@interlinx.bc.ca> wrote:
So, if my telco can bill the callers for those premium calls, they surely know who they are, or at least know where they are sending the bill and getting payment from.
You are mistaken, billing is very hard. Telcos show this regularly.
On 3/7/20 8:03 AM, Christopher Morrow wrote:
On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell <brian@interlinx.bc.ca> wrote:
So, if my telco can bill the callers for those premium calls, they surely know who they are, or at least know where they are sending the bill and getting payment from.
You are mistaken, billing is very hard. Telcos show this regularly.
On the contrary: billing is easy. Getting it right is hard.
On Sat, Mar 7, 2020 at 4:10 AM Bryan Holloway <bryan@shout.net> wrote:
On 3/7/20 8:03 AM, Christopher Morrow wrote:
On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell <brian@interlinx.bc.ca> wrote:
So, if my telco can bill the callers for those premium calls, they surely know who they are, or at least know where they are sending the bill and getting payment from.
You are mistaken, billing is very hard. Telcos show this regularly.
On the contrary: billing is easy. Getting it right is hard.
You are technically correct, the best kind of correct. Seriously though, a bunch of the conversation about shaken/stir and various problems with spam callers reveals: "telcos don't care (for any reason you can imagine)" "gov't mandates aren't really going to help" "people care as recipients of these calls, but really there are options for them as well to not get the calls (or not answer them)" I like that Mr Thomas's answer: "Why can't we just cryptpgraphically sign the caller's ANI and use that as a method to ID real callers we care about?" since that was my suggestion to the stir folk in their very first meeting... "what about ebony phones!" said the lawyer from telco-ville.
On 3/7/20 9:53 AM, Christopher Morrow wrote:
On Sat, Mar 7, 2020 at 4:10 AM Bryan Holloway <bryan@shout.net> wrote:
On 3/7/20 8:03 AM, Christopher Morrow wrote:
On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell <brian@interlinx.bc.ca> wrote:
So, if my telco can bill the callers for those premium calls, they surely know who they are, or at least know where they are sending the bill and getting payment from. You are mistaken, billing is very hard. Telcos show this regularly.
On the contrary: billing is easy. Getting it right is hard.
I like that Mr Thomas's answer: "Why can't we just cryptpgraphically sign the caller's ANI and use that as a method to ID real callers we care about?" since that was my suggestion to the stir folk in their very first meeting... "what about ebony phones!" said the lawyer from telco-ville.
Well to be clear, i think it's high time to just ignore the old pstn identity stuff altogether and just use the SIP From. Mike
On Sat, Mar 7, 2020 at 1:11 PM Michael Thomas <mike@mtcc.com> wrote:
On 3/7/20 9:53 AM, Christopher Morrow wrote:
On Sat, Mar 7, 2020 at 4:10 AM Bryan Holloway <bryan@shout.net> wrote:
On 3/7/20 8:03 AM, Christopher Morrow wrote:
On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell <brian@interlinx.bc.ca> wrote:
So, if my telco can bill the callers for those premium calls, they surely know who they are, or at least know where they are sending the bill and getting payment from. You are mistaken, billing is very hard. Telcos show this regularly.
On the contrary: billing is easy. Getting it right is hard.
I like that Mr Thomas's answer: "Why can't we just cryptpgraphically sign the caller's ANI and use that as a method to ID real callers we care about?" since that was my suggestion to the stir folk in their very first meeting... "what about ebony phones!" said the lawyer from telco-ville.
Well to be clear, i think it's high time to just ignore the old pstn identity stuff altogether and just use the SIP From.
that too was my message 12 yrs ago... I thought: 1) cell phones and anything like a cell phone (sip things) can 'just do this' 2) anything not in category1 could have the data stamped by the thing electrically connected to it (in the CO) really, this isn't TOO hard, and it enables a new business in the 'directory of certs' business... and clear info to the endpoints about the caller: "This number says 1900-foo-bart, but that's not matching the Cert I have for FooBart services? fake-call!" lots of good options there, little interest from 'telco lawyer troll' in the room. #ebonyphone!
Has encryption ever solved scams/fraud/spam? Extended Validation SSL Certificates - Just pay a Certificate Authority more money DKIM signed email - Just pay a mail provider more money to blast email SWIFT encrypted payments - Just find the weakest bank somewhere in the world
On 3/7/20 11:54 AM, Sean Donelan wrote:
Has encryption ever solved scams/fraud/spam?
Extended Validation SSL Certificates - Just pay a Certificate Authority more money
DKIM signed email - Just pay a mail provider more money to blast email
SWIFT encrypted payments - Just find the weakest bank somewhere in the world
it takes an ecosystem, authentication being one tool. before we did dkim practically nobody was using smtp auth. i would like to think that the accountability end of dkim's "blame us" had some effect, but it was probably in the water at the time. Mike
In article <nycvar.OFS.7.77.840.2003071446060.17953@cnex.qbaryna.pbz> you write:
Has encryption ever solved scams/fraud/spam?
No, but signatures have helped so you can more easily identify known friends and concentrate the analysis on the rest.
DKIM signed email - Just pay a mail provider more money to blast email
This must be some DKIM other than the one the IETF standardized and every large mail provider uses to manage mail streams. There's no CA's, you publish your own verification key in your DNS, and it costs nothing beyond the software upgrades to use. R's, John
On Sat, 7 Mar 2020, John Levine wrote:
This must be some DKIM other than the one the IETF standardized and every large mail provider uses to manage mail streams. There's no CA's, you publish your own verification key in your DNS, and it costs nothing beyond the software upgrades to use.
Most DNS registers avoid verifying customer information as long as the payment clears (for a short time). DKIM (and DNSSEC) is built on top of trusting tokens from third-parties which disclaim all liability. Cryptography is not magic pixie dust. It won't create trust between unknown parties. Cryptography works between parties already known to each other to verify existing trust. Phone companies and advertisers have already demonstrated they can't be trusted to act as third-party introducers. They are more than willing to sell-out that trust to the highest bidder. The reality is my phone already knows the numbers of my circle of friends and loved ones. Overseas call centers randomly generating phone numbers aren't matching the subset of phone numbers that cause my phone to ring. When the scammers start matching social media circles and phone numbers, then I'll need something new. Eventually we'll have STE/STU-equivalent end-to-end verification on our smartphones.
On 3/7/20 3:53 PM, Sean Donelan wrote:
On Sat, 7 Mar 2020, John Levine wrote:
This must be some DKIM other than the one the IETF standardized and every large mail provider uses to manage mail streams. There's no CA's, you publish your own verification key in your DNS, and it costs nothing beyond the software upgrades to use.
Most DNS registers avoid verifying customer information as long as the payment clears (for a short time). DKIM (and DNSSEC) is built on top of trusting tokens from third-parties which disclaim all liability.
That's not how DKIM works at all. Even a little bit. Mike
Most DNS registers avoid verifying customer information as long as the payment clears (for a short time). DKIM (and DNSSEC) is built on top of trusting tokens from third-parties which disclaim all liability.
Right. The only promise that DKIM makes is that if you have a stream of mail signed by the same domain, you can praise or blame the same entity for it. It's a handle that recipient systems can use to build a reputation system, not a whitelist. DKIM has worked this way since 2006, the documentation is entirely clear that's what it does, and I'm kind of surprised you haven't gotten the memo.
Phone companies and advertisers have already demonstrated they can't be trusted to act as third-party introducers.
No kidding. I've talked to people at big telcos who are in the middle of STIR/SHAKEN and they tell me they plan to use it pretty much the same way that mail providers use DKIM. Some senders will have a good reputation and their calls will be delivered, some won't, and not so much. As with mail, it also provides a handle to push back on people sending unwanted junk.
Eventually we'll have STE/STU-equivalent end-to-end verification on our smartphones.
That's known not to work for e-mail spam, so I can't imagine why anyone would expect it to work for phone calls. Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
Totally agree with you there, I run a mail server/monitoring server on OVH. With TLSA records, DKIM, and MTA-STS, I’ll still see junk filters on it if I accidentally email someone other than myself. Yes my space has been SWIP’d and I send so low email volume so it’s reputation would be neutral at best which very much justifies the spam filters due to OVH’s reputation. Somehow I don’t think SHAKEN/STIR would be any different. I wonder how far this would go on VoIP transit. I purchase from voicetel.com <http://voicetel.com/> for my house, which purchases from some other providers, which probably aggregates to others. It doesn’t seem like this is quite as easy as looking up a whois from ARIN. Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300
On Mar 7, 2020, at 7:46 PM, John R. Levine <johnl@iecc.com> wrote:
Most DNS registers avoid verifying customer information as long as the payment clears (for a short time). DKIM (and DNSSEC) is built on top of trusting tokens from third-parties which disclaim all liability.
Right. The only promise that DKIM makes is that if you have a stream of mail signed by the same domain, you can praise or blame the same entity for it. It's a handle that recipient systems can use to build a reputation system, not a whitelist. DKIM has worked this way since 2006, the documentation is entirely clear that's what it does, and I'm kind of surprised you haven't gotten the memo.
Phone companies and advertisers have already demonstrated they can't be trusted to act as third-party introducers.
No kidding. I've talked to people at big telcos who are in the middle of STIR/SHAKEN and they tell me they plan to use it pretty much the same way that mail providers use DKIM. Some senders will have a good reputation and their calls will be delivered, some won't, and not so much. As with mail, it also provides a handle to push back on people sending unwanted junk.
Eventually we'll have STE/STU-equivalent end-to-end verification on our smartphones.
That's known not to work for e-mail spam, so I can't imagine why anyone would expect it to work for phone calls.
Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
On March 7, 2020 at 14:54 sean@donelan.com (Sean Donelan) wrote:
Has encryption ever solved scams/fraud/spam?
Extended Validation SSL Certificates - Just pay a Certificate Authority more money
DKIM signed email - Just pay a mail provider more money to blast email
SWIFT encrypted payments - Just find the weakest bank somewhere in the world
DKIM will be incredibly effective when we deploy a reputation database as I was scolded at by someone who was deeply involved in all this in 2003 when I expressed some skepticism. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
What is an "ebony phone"? (Google results for that phrase are mostly porn.) On Sat, Mar 7, 2020 at 12:55 PM Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Sat, Mar 7, 2020 at 4:10 AM Bryan Holloway <bryan@shout.net> wrote:
On 3/7/20 8:03 AM, Christopher Morrow wrote:
On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell <
brian@interlinx.bc.ca> wrote:
So, if my telco can bill the callers for those premium calls, they surely know who they are, or at least know where they are sending the bill and getting payment from.
You are mistaken, billing is very hard. Telcos show this regularly.
On the contrary: billing is easy. Getting it right is hard.
You are technically correct, the best kind of correct.
Seriously though, a bunch of the conversation about shaken/stir and various problems with spam callers reveals: "telcos don't care (for any reason you can imagine)" "gov't mandates aren't really going to help" "people care as recipients of these calls, but really there are options for them as well to not get the calls (or not answer them)"
I like that Mr Thomas's answer: "Why can't we just cryptpgraphically sign the caller's ANI and use that as a method to ID real callers we care about?" since that was my suggestion to the stir folk in their very first meeting... "what about ebony phones!" said the lawyer from telco-ville.
In this case, “ebony phone” refers to the (usually) black housing of landline phones, either dial or manual that your parents probably used for years. Caller ID has long been supplied (for extra cost) to subscribers as a signal interspersed with the ring signal. The answer to “what about ebony phones” is to require telcos to verify the Caller ID which is delivered to landline telephones along with the ring signal. Again, this is not likely since it would impact the telco’s profit margin. James R. Cutler James.cutler@consultant.com GPG keys: hkps://hkps.pool.sks-keyservers.net
On Mar 9, 2020, at 9:25 PM, Ross Tajvar <ross@tajvar.io> wrote:
What is an "ebony phone"? (Google results for that phrase are mostly porn.)
On Sat, Mar 7, 2020 at 12:55 PM Christopher Morrow <morrowc.lists@gmail.com <mailto:morrowc.lists@gmail.com>> wrote: On Sat, Mar 7, 2020 at 4:10 AM Bryan Holloway <bryan@shout.net <mailto:bryan@shout.net>> wrote:
On 3/7/20 8:03 AM, Christopher Morrow wrote:
On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell <brian@interlinx.bc.ca <mailto:brian@interlinx.bc.ca>> wrote:
So, if my telco can bill the callers for those premium calls, they surely know who they are, or at least know where they are sending the bill and getting payment from.
You are mistaken, billing is very hard. Telcos show this regularly.
On the contrary: billing is easy. Getting it right is hard.
You are technically correct, the best kind of correct.
Seriously though, a bunch of the conversation about shaken/stir and various problems with spam callers reveals: "telcos don't care (for any reason you can imagine)" "gov't mandates aren't really going to help" "people care as recipients of these calls, but really there are options for them as well to not get the calls (or not answer them)"
I like that Mr Thomas's answer: "Why can't we just cryptpgraphically sign the caller's ANI and use that as a method to ID real callers we care about?" since that was my suggestion to the stir folk in their very first meeting... "what about ebony phones!" said the lawyer from telco-ville.
On Mon, Mar 9, 2020 at 9:25 PM Ross Tajvar <ross@tajvar.io> wrote:
What is an "ebony phone"? (Google results for that phrase are mostly porn.)
https://www.ebay.com/itm/1950S-WESTERN-ELECTRIC-EBONY-BLACK-ROTARY-DIAL-DESK... I agree, that's a form of porn. #rule34 -chris
On Sat, Mar 7, 2020 at 12:55 PM Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Sat, Mar 7, 2020 at 4:10 AM Bryan Holloway <bryan@shout.net> wrote:
On 3/7/20 8:03 AM, Christopher Morrow wrote:
On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell <brian@interlinx.bc.ca> wrote:
So, if my telco can bill the callers for those premium calls, they surely know who they are, or at least know where they are sending the bill and getting payment from.
You are mistaken, billing is very hard. Telcos show this regularly.
On the contrary: billing is easy. Getting it right is hard.
You are technically correct, the best kind of correct.
Seriously though, a bunch of the conversation about shaken/stir and various problems with spam callers reveals: "telcos don't care (for any reason you can imagine)" "gov't mandates aren't really going to help" "people care as recipients of these calls, but really there are options for them as well to not get the calls (or not answer them)"
I like that Mr Thomas's answer: "Why can't we just cryptpgraphically sign the caller's ANI and use that as a method to ID real callers we care about?" since that was my suggestion to the stir folk in their very first meeting... "what about ebony phones!" said the lawyer from telco-ville.
What is an "ebony phone"? (Google results for that phrase are mostly porn.)
https://www.ebay.com/itm/1950S-WESTERN-ELECTRIC-EBONY-BLACK-ROTARY-DIAL-DESK...
at least the swedes knew basic arithmetic https://www.ebay.com/itm/C-Late-40s-early-50s-Vintage-Swedish-Rotary-Dial-Ph...
On March 7, 2020 at 02:03 morrowc.lists@gmail.com (Christopher Morrow) wrote:
On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell <brian@interlinx.bc.ca> wrote:
So, if my telco can bill the callers for those premium calls, they surely know who they are, or at least know where they are sending the bill and getting payment from.
You are mistaken, billing is very hard. Telcos show this regularly.
Telcos have been described as vast and efficient billing systems with some minor voice service functions attached. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Fri, Mar 6, 2020 at 8:05 PM Brian J. Murrell <brian@interlinx.bc.ca> wrote:
On Fri, 2020-03-06 at 18:37 -0500, bzs@theworld.com wrote:
Why don't they just ask the phone companies who are billing these robocallers who they are and we can arrest them.
Exactly.
I have always maintained that if my phone number were one of those "premium" numbers (1-976 -- maybe I am dating myself but you know what I mean -- where calls to it were billed at $5/min), I am sure that my telco (the one providing me the premium number on my the phone line that runs into my location) would always know exactly who to send the bill to for every call that called my number, including robocallers[1].
So, if my telco can bill the callers for those premium calls, they surely know who they are, or at least know where they are sending the bill and getting payment from.
But who are we kidding? The telcos have been making money hand over fist with robocalls and are not really all that motivated to dry up that revenue stream. Regulation (as much as I hate it in general) is the only solution.
Making the allowing of robocalls more expensive than preventing them is the only solution. Whether that is through fines as a result of regulation or otherwise.
This is similar to the BCP38 problem of spoofed packets making their way onto the internet. The recipient has no way of knowing which packets are spoofed, but with (sampled) netflow/sflow, the origin of a flood of traffic *can* be traced, even if spoofed. And, once traced, it *can* be filtered. The fact transit providers don't do this traceback and filtering today is simply because it would cost money, and they make more money carrying the traffic (and also the amplified DDoS traffic it causes). The only solution is to make it more expensive to facilitate criminal activity than to prevent it. I think we're seeing the beginnings of this in the telco industry, and I hope it carries over to the internet. In the robocall case, there *is* something the end user can do to fight the abuse: answer every call, and keep them on the line as long as possible. They are paying for connected calls, for the connection duration, and for the humans to scam people. If everyone tarpitted them, the business model would fail. Damian
Send them all to Lenny! If Apple and Google implemented a "Forward to Lenny" option in their OSes, robo calls would drop dramatically. :-) ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Damian Menscher via NANOG" <nanog@nanog.org> To: "Brian J. Murrell" <brian@interlinx.bc.ca> Cc: "NANOG mailing list" <nanog@nanog.org> Sent: Sunday, March 8, 2020 11:59:07 AM Subject: Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls On Fri, Mar 6, 2020 at 8:05 PM Brian J. Murrell < brian@interlinx.bc.ca > wrote: On Fri, 2020-03-06 at 18:37 -0500, bzs@theworld.com wrote:
Why don't they just ask the phone companies who are billing these robocallers who they are and we can arrest them.
Exactly. I have always maintained that if my phone number were one of those "premium" numbers (1-976 -- maybe I am dating myself but you know what I mean -- where calls to it were billed at $5/min), I am sure that my telco (the one providing me the premium number on my the phone line that runs into my location) would always know exactly who to send the bill to for every call that called my number, including robocallers[1]. So, if my telco can bill the callers for those premium calls, they surely know who they are, or at least know where they are sending the bill and getting payment from. But who are we kidding? The telcos have been making money hand over fist with robocalls and are not really all that motivated to dry up that revenue stream. Regulation (as much as I hate it in general) is the only solution. Making the allowing of robocalls more expensive than preventing them is the only solution. Whether that is through fines as a result of regulation or otherwise. This is similar to the BCP38 problem of spoofed packets making their way onto the internet. The recipient has no way of knowing which packets are spoofed, but with (sampled) netflow/sflow, the origin of a flood of traffic *can* be traced, even if spoofed. And, once traced, it *can* be filtered. The fact transit providers don't do this traceback and filtering today is simply because it would cost money, and they make more money carrying the traffic (and also the amplified DDoS traffic it causes). The only solution is to make it more expensive to facilitate criminal activity than to prevent it. I think we're seeing the beginnings of this in the telco industry, and I hope it carries over to the internet. In the robocall case, there *is* something the end user can do to fight the abuse: answer every call, and keep them on the line as long as possible. They are paying for connected calls, for the connection duration, and for the humans to scam people. If everyone tarpitted them, the business model would fail. Damian
It's really not analogous to most of the mass attacks on the net because the entire telco system is built to know who is using it in great detail. Have you ever made a billable call and *not* been billed for it? If you're getting the same "Hi, this is <NAME> from card holder services" calls like everyone else, or auto warranty etc etc etc, that means they're making millions of calls per day, possibly hundreds of millions...per day. No one makes many millions of voice calls without paying the telcos. If you don't believe me try it. You'll have a swat team at your home or office (or possibly a telco sales person) probably after just hundreds of calls and you'll be blocked, shut down. The telcos are making a lot of money on these calls. They know exactly who is making them because they know exactly who they're sending that bill to and their payment history. Which primarily leaves the question of why this Kabuki theater by the FCC et al pretending as if it's some vast, uncontrollable evil like the corona virus etc.? -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Sun, Mar 8, 2020 at 2:18 PM <bzs@theworld.com> wrote:
It's really not analogous to most of the mass attacks on the net because the entire telco system is built to know who is using it in great detail.
You don't think transit providers bill their customers? The analogy holds surprisingly well. Any transit provider (or other ISP) could trivially identify their customers who are launching spoofed attacks, simply by looking for a high volume of SYN packets, or a high diversity of source ASNs, or several other signals. But instead they pretend it's "hard", just as the telcos do. In reality, the only thing that's hard about it is the policy decision of turning away money. Damian Have you ever made a billable call and *not* been billed for it?
If you're getting the same "Hi, this is <NAME> from card holder services" calls like everyone else, or auto warranty etc etc etc, that means they're making millions of calls per day, possibly hundreds of millions...per day.
No one makes many millions of voice calls without paying the telcos.
If you don't believe me try it. You'll have a swat team at your home or office (or possibly a telco sales person) probably after just hundreds of calls and you'll be blocked, shut down.
The telcos are making a lot of money on these calls.
They know exactly who is making them because they know exactly who they're sending that bill to and their payment history.
Which primarily leaves the question of why this Kabuki theater by the FCC et al pretending as if it's some vast, uncontrollable evil like the corona virus etc.?
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Point taken. On March 8, 2020 at 15:06 damian@google.com (Damian Menscher) wrote:
On Sun, Mar 8, 2020 at 2:18 PM <bzs@theworld.com> wrote:
It's really not analogous to most of the mass attacks on the net because the entire telco system is built to know who is using it in great detail.
You don't think transit providers bill their customers?
The analogy holds surprisingly well. Any transit provider (or other ISP) could trivially identify their customers who are launching spoofed attacks, simply by looking for a high volume of SYN packets, or a high diversity of source ASNs, or several other signals. But instead they pretend it's "hard", just as the telcos do. In reality, the only thing that's hard about it is the policy decision of turning away money.
Damian
Have you ever made a billable call and *not* been billed for it?
If you're getting the same "Hi, this is <NAME> from card holder services" calls like everyone else, or auto warranty etc etc etc, that means they're making millions of calls per day, possibly hundreds of millions...per day.
No one makes many millions of voice calls without paying the telcos.
If you don't believe me try it. You'll have a swat team at your home or office (or possibly a telco sales person) probably after just hundreds of calls and you'll be blocked, shut down.
The telcos are making a lot of money on these calls.
They know exactly who is making them because they know exactly who they're sending that bill to and their payment history.
Which primarily leaves the question of why this Kabuki theater by the FCC et al pretending as if it's some vast, uncontrollable evil like the corona virus etc.?
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http:// www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Sun, 08 Mar 2020 17:17:37 -0400, bzs@theworld.com said:
Which primarily leaves the question of why this Kabuki theater by the FCC et al pretending as if it's some vast, uncontrollable evil like the corona virus etc.?
Because even in today's climate of regulatory capture posing as proper oversight, there's a limit to just how blatant they can be in public before people start saying "Geez, get a room already".
On 3/8/20 9:59 AM, Damian Menscher via NANOG wrote:
In the robocall case, there*is* something the end user can do to fight the abuse: answer every call, and keep them on the line as long as possible. They are paying for connected calls, for the connection duration, and for the humans to scam people. If everyone tarpitted them, the business model would fail.
+1 When I recognize the name and number on caller ID, I'll answer in the usual manner. I answer calls when I don't recognize the name or number, but say nothing. The caller then drops the connection, usually in 10 seconds -- and I hear the disconnect -- and usually my cordless phone's base station notices the disconnect as well. (Yes, I still have a standard POTS line.) What if it's an unknown person but otherwise valid and not robo-call? They will notice the ringback tone stopping and will say "Hello, hello?" at which point I can have a conversation. (Some robocallers will notice the ringback tone stopping and start their automated spew, at which point I press "Off.") This helps keep my blood pressure low, keeps my answering machine from filling up with useless calls, and I feel good that someone just spent a nickle for nothing.
I do the same, don't say anything when I pick up an unknown caller id until they say something, they disconnect about half or more of the time tho not always. As I've said before what would likely work is if every time one of us (in the US anyhow) got a junk call we immediately called our congressional and/or senate office(s) and simply said "just got another junk call! (optionally add description.)" The abuse works because we each suffer it alone. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On 3/8/20 4:00 PM, bzs@theworld.com wrote:
As I've said before what would likely work is if every time one of us (in the US anyhow) got a junk call we immediately called our congressional and/or senate office(s) and simply said "just got another junk call! (optionally add description.)"
Doesn't work. I've been complaining both House and Senate offices every time CMS (Medicare billing arm) overcharges me $800 for my premiums. It's to the point that my elected officials will listen, then say "write a letter" (which I have done several times) and blow me off. Nothing ever gets fixed. BBB has told me they don't take complaints about government entities.
On March 8, 2020 at 16:32 list@satchell.net (Stephen Satchell) wrote:
On 3/8/20 4:00 PM, bzs@theworld.com wrote:
As I've said before what would likely work is if every time one of us (in the US anyhow) got a junk call we immediately called our congressional and/or senate office(s) and simply said "just got another junk call! (optionally add description.)"
Doesn't work. I've been complaining both House and Senate offices every time CMS (Medicare billing arm) overcharges me $800 for my premiums. It's to the point that my elected officials will listen, then say "write a letter" (which I have done several times) and blow me off.
Nothing ever gets fixed.
BBB has told me they don't take complaints about government entities.
I was thinking more in terms of millions of calls to congressional offices per day, not individual requests for action. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
participants (17)
-
Brian J. Murrell -
Bryan Holloway -
bzs@theworld.com -
Christopher Morrow -
Clayton Zekelman -
Damian Menscher -
Eric Tykwinski -
James R Cutler -
John Levine -
John R. Levine
-
Michael Thomas -
Mike Hammett -
Randy Bush -
Ross Tajvar -
Sean Donelan -
Stephen Satchell -
Valdis Klētnieks