On Tue, 2008-05-13 at 12:41 -0400, Steve Totaro wrote: > Nitzan, > > Maybe you are unaware that all of this could be done with *absolutely* > no way to trace it back to the "Culprit". > > If you cannot trace it back to the culprit AND more importantly, clear > the INNOCENT, then more regulation is needed. >
I agree to a point, I dont think more regulation is needed, I think a fairer approach of not charging people out of suspicion but rather facts would clear more innocent even if it lets some guilty get away. The feds have a 96% plea rate give or take. This is because they threaten people with really long sentences and offer pleas of minimal sentences, many who have given up on fighting accept the plea out of desperation and not because they believe they are guilty. Of those that go to trial 75% loose in the federal system, often because of dirty tricks used and a bunch of retired postal employees as jurors. One of the first tactics that the feds use is to dry up your income so you cant afford a real lawyer and end up with a public defender. Seizing funds (or at least freezing them), ensuring you get fired, etc are all standard tactics. If there is regulation it needs to be that the government will play fair in prosecution, if this happens you will see many more people walk when the evidence just isnt there, rather than conviction because the government says so. Generally more regulation only leads to more "criminals" some of whom are unintended consequences of a poorly written law. It generally does little to actually stop innocent convictions, or halt an undesirable action. > This make more sense: > Open WiFi AP (or cracked WEP) ----> hacked Asterisk box (who sets the > CID/ANI ----> Telco ------> terminated to the PSTN > open/cracked wifi device using voip device -> itsp that takes paypal or credit cards and does instant activation -> pstn paypal and credit cards are stolen all the time, and are probably more plentiful than vulnerable voip systems (asterisk or not) so the attack vector is larger than in your example. > Be sure to delete appropriate logs on the hacked Asterisk boxen and just > to be safe, spoof your laptop's MAC address. Perform your exploit > somewhere inconspicuous and a good distance from "home, then clean your > laptop by using DBAN http://dban.sourceforge.net/ which is DoD 5220.22-M > compliant, before re-installing your OS"...... this step also could be removed, certain the clean up, but if you can really get in and out without anyone noticing, bounce around to different locations, use proxies, etc tracing it back to the user of the access point becomes difficult and unless you enter the US or UK where they can search the contents of your laptop "because they feel like it" wiping it isnt always required. fyi eteraser does DoD compliant wipes of free and slack space on windows boxes, and if you use a wifi phone or ATA or something that way there generally arent logs to even require this step. And many of the wifi phones look like mobiles so it wouldnt look as odd, but you may not have as much ability to set clid/ani to said itsp provider. -- Trixter http://www.0xdecafbad.com Bret McDanel Belfast +44 28 9099 6461 US +1 516 687 5200 http://www.trxtel.com the phone company that pays you! _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
