The main security blog I read is Matasano Chargen, which is educational and amusing. Today Wes Brown posted a basic intro to SIP and SIP security issues in the context of a story about Mario, Princess Peach, Luigi and Bowser. Fear the turtle.
VoIP
Archived Posts from this Category
Truth in Caller ID Act of 2007
Since I’ve posted several times before about spoofing the caller ID for a phone call, you might think I would be interested in the Truth in Caller ID Act of 2007 that was recently introduced in the US Senate. And you would be correct.
Originally introduced in the House as H.R. Bill 251 and passed by voice vote, the bill has moved on to the Senate. A very similar bill, the Truth in Caller ID Act of 2006, was also introduced and passed in the House last year, but never made it out of the Senate. Both of these Acts were designed as amendments to Section 227 (RESTRICTIONS ON THE USE OF TELEPHONE EQUIPMENT) of the Communications Act of 1934.
Here are the major differences:
- Changed “telecommunications service or VOIP service” to “telecommunications service or IP-enabled voice service”
- Removed the qualification of “with the intent to defraud or cause harm”
- Added exemptions for “any authorized activity of a law enforcement agency” or “a court order that specifically authorizes the use of caller identification manipulation”
- Added a statement that implies (at least to me) that the FCC can include exemptions that the “Commission determines appropriate”
- Added a statement that the FCC shall report back 6 months after enactment as to whether additional legislation is required to cover new technologies that have emerged
- Added explicit civil forfeiture penalties and criminal fines for each violation (including up to $10,000 for each violation and treble damages per day for continuing violations)
- Specified a 2-year statute of limitations on events ocurring after a violation notice has been delivered (here’s an example of a real notice as defined by the Communications Act of 1934)
- Added explicit statements regarding enforcement of the Act by States (though States must wait in line if the FCC is already taking action for an alleged violation). This section of the Act is intended to replace section 227, sub-section f, of the Communications Act of 1934, at least in regards to violations that involving Caller ID spoofing.
One of the challenges faced by the authors of the Act is not to disallow legitimate uses of caller ID spoofing. When outbound calls are placed by an outbound calling service, the trunks that are used do not normally accept inbound calls. Although many outbound trunks may be used simultaneously, it typically makes sense that returned calls would go to a single recognizable number. Let’s say an emergency notification system were established to place outbound calls to a community in case of an accident at a nearby oil refinery or chemical plant. Obviously, many calls must be made very quickly, so lots of outbound lines would be used. In this scenario it makes sense to spoof the caller ID for each outbound line to a single inbound number that distributes the calls to people who are trained to answer questions about the notification.
The 2006 Act stated that it applied to cases where spoofing the caller ID was done “with the intent to defraud or cause harm”. While I can understand the desire to avoid having to prove the intent of an alleged violator, I’m worried that the new Act removes this statement and leaves it at – “transmit misleading or inaccurate caller identification information”. While my above example illustrates a case where the spoofed information is not misleading, one might technically argue that it is inaccurate. Maybe I’m splitting hairs, but I can think of several cases where “inaccurate” caller ID information is not necessarily harmful.
This Act covers more than just the calling party number (which is, strictly speaking, the caller ID). The Act also covers any other information that is also provided as part of a calling number identification service, such as a brief alphanumeric name that can optionally be requested along with the phone number, depending on the service provider.
Regardless of whether this Act passes, you should change your mobile phone voicemail account (if you haven’t done so already) so that it requires a password. The typical default setting is not to challenge you for a password if the caller ID for the call matches your mobile phone number. Convenient, but terribly insecure. You don’t want me listening to your voicemail, especially since I already read your email.
This week an AP originated article appeared in the Oakland Tribune on caller ID spoofing. My previous post on caller ID spoofing generated quite a few comments, including a lot of email requests for the source code or for me to provide it as a paid service. Just to cut short further requests, I have no interest in doing that.
As I wrote long ago and the article also states, you shouldn’t absolutely trust the phone number that shows up on your Caller ID service as being the phone number of the person calling you. It’s quite easy to fake for someone with a reasonable level of technical savvy. I originally did it via a VoiceXML application on a hosted VoiceXML service, but you can also do it if you manage your own PBX, such as Asterisk. For the less technical, you can just pay a service to handle it for you.
Camophone is no longer taking new customers, but Spooftel, Telespoof, Spooftech, and Spoofcard are currently active. Interestingly enough, the star38.com domain for the earliest (at least, earliest known to me) Caller ID spoofing provider now redirects to cia.gov. Conspiracy theorists, start your engines.
One obvious concern is any service that authenticates the user based just on Caller ID. One example is credit card activation. Some companies will automatically activate credit cards if the Caller ID for the incoming call to the activation line is the same as the number used when appying for the credit card. That could allow someone to activate a large number of credit cards in a very short period of time by using fake phone numbers.
A dangerous privacy-related example for consumers is voice mail systems that don’t require a password if you call from the number associated with voicemail box. Many mobile carriers use this as the default configuration. If someone knows your mobile number, they can call the main number for voicemail access and spoof your number. They can then listen to your stored messages.
Each week, more and more companies are jumping on the VoIP train. The next major company like to debut a new, integrated VoIP service is Yahoo. I just learned that Yahoo bought Dialpad back in June, and that acquisition certainly gives them a big headstart on integrating VoIP with their Yahoo Messenger client. My friend Ed over at Televoce forwarded me an article from Silicon.com that helped me get caught up.
The incumbent, monopolist-wannabe, Bell descendents won’t give up easy. Massive lobbying and huge campaign donations by the big phone companies has led tools like Orrin Hatch to do everything they can politically to shutdown any innovation that threatens the former Bells.
For more interesting VoIP news, check out these recent columns from Bob Cringely:
- NeuStar Is VoIP’s Only Guaranteed Sure Thing
- The Likely Sale of Skype Will Be Another Kick in the Head to Old-Line Phone Companies Worldwide
- Thanks to the Supreme Court and the FCC, U.S. Telcos Are About to Reinvent Their DSL Businesses
FCC Chairman Michael Powell continues to behave in a startling reasonable way when he announced that he will seek federal control over VoIP regulation. The IP telephony industry is definitely taking off and I think it would be a shame if the small, innovative companies that have jump started the whole thing were to get mired in regulation that varies widely from state to state. That would be a clear invite for the big players with their armies of lawyers to sweep in and begin to stake out new monopolies.
I think this step counts as fulfilling item 10 on Voxilla’s top ten predictions for VoIP in 2004 – FCC steps in on regulation. Also, I still stand by my belief that this is not a bad thing.
VoIP Market Leaders Declare a Price War – Voxilla.com
The recent drops in monthly rates for AT&T CallVantage, Vonage, and Broadvox Direct suggest that the consumer VoIP market is heating up and that these companies all expect adoption rates to take off at a much quicker pace soon. When the inflection point occurs, you don’t want to be the most expensive provider.
Unlimited calling plans from VoIP providers originally started out at around $40/month. I’m sure that this would have been a cost savings for some people, but I very rarely spend $40/month on non-cellphone or broadband telecom charges. I use my cellphone for almost all long distance calls. With the most recent price cuts, you can get unlimited calling plans across the US from the above trio for anywhere from $20 to $30. Those prices are now reaching levels that are tempting even for me.
Of course, the pure geek appeal of replacing my old school POTS connection with a VoIP connection is mighty tempting, but my geek to-do list is already too long. Also, there’s plenty of free, do-it-yourself VoIP software for me to while away my time with. A list of the software I’m looking at will be the subject of an upcoming post.
Since EarthLink is my ISP, I wanted to try EarthLink OnlineCalling. But, the software they are OEM’ing is Xten’s X-Lite, which runs on Windows and Mac OS X, only. It looks cool, though, maybe a bit too gratuitously puffy. Maybe I’ll try it on my wife’s Powerbook when she’s not looking.
One major drawback of OnlineCalling/X-Lite is the Earthlink license. When you sign up for OnlineCalling, Earthlink displays in a tiny little text box a grotesquely lengthy license covering pretty much every product and service they offer. Why couldn’t they have separated out just the part that was relevant! Must … control … anti-bad-license fist of death.
Ever since I posted about Skype and my desire for Skyper Limited to release a Linux client, I have averaged about six hits a day from people searching on some search engine for some variant of “skype+linux” and clicking through to my site. Sorry I didn’t have much insight to offer back then.
However, Skyper has finally released a beta version of a Skype client for Linux.
If you install Skype on Fedora Core 1, be sure to download the Qt 3.1 version and use –nodeps argument for rpm. For example,
rpm -ivh --nodeps skype-0.90.0.4.qt3.1-1.i386.rpm
So, now I’m back on Skype after a long absence. My Skype ID is wombatnation.
I got my Plantronics DSP 500 headset working on Fedora (more on that later), so hopefully the sound quality will be acceptable. I’ve heard that the sound quality with the Windows Skype client has improved quite a bit since the last time I tried it.
I saw quite a few cool things today at the eBIG FutureTech and Gadget Show.
My friend Ed from TeleVoce was there showing off a prototype of the TeleVoce Duetto. The Duetto is a special cordless phone that can take both VoIP calls through a connected computer and regular PSTN calls. One cool feature of the phone is that if it detects that your regular phone line is already in use, it routes the call over the Internet. Of course, if you’re trying to make a call to someone else with a regular phone, you will need to have previously arranged for a VoIP to PSTN gateway service.
When I walked up to talk to Ed, he was explaining how the Duetto works to someone else. At one point, she mentioned that she was interested in the company from the position of an angel investor. I was pretty sure it was Kim Polese, so after I got home I tracked down a photo of her on the web. I’m now fairly certain it was Kim.
Stereographics was also there showing off two different 3D displays. They had a traditional 3D display that required special glasses. The display switches rapidly between the two different parts of the stereo image. The glasses have liquid crystal shutters that are synched to the display. The brain automatically fuses the images, leaving you with the perception of seeing a 3D image on a 2D screen.
The Synthagram display didn’t require glasses. They put a special layer (technically, a microlens array) on a conventional LCD display to create the 3D effect. The technology is pretty similar to the 3D baseball cards I used to collect when I was a kid. In fact, they gave me a similar style, albeit much larger, card with a very cool 3D image of a coral reef with tropical fish and dolphins. Since you need to use special software to create the images, this display is primarily targeted at commercial advertising, casinos, and arcade gaming.
SightSpeed was there showing off their video messaging and video conferencing tools. They currently support only Windows and Mac OSs, but the CTO told me they would start offering a Linux client in about a month. He said they were waiting on a couple more distributions to include the Linux 2.6 kernel, since they need ALSA to support real-time audio. I’ve heard really good things about the quality of their software, so I’m really happy they’re adding Linux support.
GlooLabs was demonstrating their software that powers the HomePod, which is manufactured by MacSense. The HomePod is a wireless audio platform. The software is written in Java and it is running in the HomePod on an embedded Linux operating system. The software controller app is also written in Java and it is supported on Linux, Mac OS X, and Windows. The basic idea of the HomePod is that it can stream music from computer-like devices to standard audio devices, like a home stereo. The HomePod can grab music (currently MP3 only, but soon to include AAC – I can only hope they add Ogg Vorbis some day) from folders or an iTunes library on a computer over a wired or wireless connection. The HomePod also supports Internet radio stations, but only MP3-based streams, such as SHOUTcast. On top of all this, it includes a small infrared remote control.
If you’re a developer, you should check out the developer edition of the HomePod, which gives you a Linux login, C APIs for the drivers, Java APIs for the apps, the ability to update the firmware, and access to the GLOO development team. Hmmm, if I only thought I had enough free time, I would buy one and try to enable Ogg Vorbis support myself.
There was also a company with a low end Segway clone, a company with a way cool home theater chair, and lots of other cool stuff.
Tomorrow is the East Bay IT Group’s (eBIG) FutureTech and Gadget Show from noon to 7 pm at the Carr America Conference Center in Pleasanton. I joined eBIG about a month ago and I definitely plan to be at the show.
A friend of mine (and fellow San Jose Earthquakes fan) will be there from TeleVoce showing off their upcoming cordless VoIP phone.
If you live in the East Bay and work in high tech, you owe it to yourself to check out eBIG. They have a lot of a great special interest groups (such as Java, Software Architecture, Start Ups/VC, User Experience, etc.) Although I can’t credit networking via eBIG with helping me find my new job, it did give me the chance to have a very interesting conversation with Bruce Eckel on Java, Python, and unit testing.
Covad Announces Voice Over Internet Protocol (VoIP) Deployment Plans
Just after commenting that I haven’t been motivated enough to try out a VoIP service provider as a wireline home phone option, I learn that my DSL provider, Covad, plans to roll out VoIP service for businesses and consumers later this year. Since this service probably won’t be available to me until around the fourth quarter of this year, I’ve got plenty of time to look around.
