Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Randy Bush]

>> What is an "ebony phone"? (Google results for that phrase are mostly porn.)
> 
> https://www.ebay.com/itm/1950S-WESTERN-ELECTRIC-EBONY-BLACK-ROTARY-DIAL-DESK-TELEPHONE-/333465026527

at least the swedes knew basic arithmetic

https://www.ebay.com/itm/C-Late-40s-early-50s-Vintage-Swedish-Rotary-Dial-Phone-Telegrafverket-EX/202923546399

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Christopher Morrow]

On Mon, Mar 9, 2020 at 9:25 PM Ross Tajvar  wrote:
>
> What is an "ebony phone"? (Google results for that phrase are mostly porn.)

https://www.ebay.com/itm/1950S-WESTERN-ELECTRIC-EBONY-BLACK-ROTARY-DIAL-DESK-TELEPHONE-/333465026527

I agree, that's a form of porn.
#rule34

-chris

> On Sat, Mar 7, 2020 at 12:55 PM Christopher Morrow  
> wrote:
>>
>> On Sat, Mar 7, 2020 at 4:10 AM Bryan Holloway  wrote:
>> >
>> >
>> > On 3/7/20 8:03 AM, Christopher Morrow wrote:
>> > > On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell  
>> > > wrote:
>> > >
>> > >> So, if my telco can bill the callers for those premium calls, they
>> > >> surely know who they are, or at least know where they are sending the
>> > >> bill and getting payment from.
>> > >
>> > > You are mistaken, billing is very hard.
>> > > Telcos show this regularly.
>> > >
>> >
>> > On the contrary: billing is easy. Getting it right is hard.
>>
>> You are technically correct, the best kind of correct.
>>
>> Seriously though, a bunch of the conversation about shaken/stir and
>> various problems with spam callers reveals:
>>   "telcos don't care (for any reason you can imagine)"
>>   "gov't mandates aren't  really going to help"
>>   "people care as recipients of these calls, but really there are
>> options for them as well to not get the calls (or not answer them)"
>>
>> I like that Mr Thomas's answer: "Why can't we just cryptpgraphically
>> sign the caller's ANI and use that as a method to ID real callers we
>> care about?"
>> since that was my suggestion to the stir folk in their very first
>> meeting... "what about ebony phones!" said the lawyer from
>> telco-ville.

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[John Levine]

In article <24166.56720.929382.920...@gargle.gargle.howl> you write:
>I was thinking more in terms of millions of calls to congressional
>offices per day, not individual requests for action.

Who do you think has put the screws on the FCC to make STIR/SHAKEN happen?

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[James R Cutler]

In this case, “ebony phone” refers to the (usually) black housing of landline 
phones, either dial or manual that your parents probably used for years. Caller 
ID has long been supplied (for extra cost) to subscribers as a signal 
interspersed with the ring signal.

The answer to “what about ebony phones” is to require telcos to verify the 
Caller ID which is delivered to landline telephones along with the ring signal.

Again, this is not likely since it would impact the telco’s profit margin.


James R. Cutler
james.cut...@consultant.com
GPG keys: hkps://hkps.pool.sks-keyservers.net



> On Mar 9, 2020, at 9:25 PM, Ross Tajvar  wrote:
> 
> What is an "ebony phone"? (Google results for that phrase are mostly porn.)
> 
> On Sat, Mar 7, 2020 at 12:55 PM Christopher Morrow  > wrote:
> On Sat, Mar 7, 2020 at 4:10 AM Bryan Holloway  > wrote:
> >
> >
> > On 3/7/20 8:03 AM, Christopher Morrow wrote:
> > > On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell  > > > wrote:
> > >
> > >> So, if my telco can bill the callers for those premium calls, they
> > >> surely know who they are, or at least know where they are sending the
> > >> bill and getting payment from.
> > >
> > > You are mistaken, billing is very hard.
> > > Telcos show this regularly.
> > >
> >
> > On the contrary: billing is easy. Getting it right is hard.
> 
> You are technically correct, the best kind of correct.
> 
> Seriously though, a bunch of the conversation about shaken/stir and
> various problems with spam callers reveals:
>   "telcos don't care (for any reason you can imagine)"
>   "gov't mandates aren't  really going to help"
>   "people care as recipients of these calls, but really there are
> options for them as well to not get the calls (or not answer them)"
> 
> I like that Mr Thomas's answer: "Why can't we just cryptpgraphically
> sign the caller's ANI and use that as a method to ID real callers we
> care about?"
> since that was my suggestion to the stir folk in their very first
> meeting... "what about ebony phones!" said the lawyer from
> telco-ville.

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Ross Tajvar]

What is an "ebony phone"? (Google results for that phrase are mostly porn.)

On Sat, Mar 7, 2020 at 12:55 PM Christopher Morrow 
wrote:

> On Sat, Mar 7, 2020 at 4:10 AM Bryan Holloway  wrote:
> >
> >
> > On 3/7/20 8:03 AM, Christopher Morrow wrote:
> > > On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell <
> br...@interlinx.bc.ca> wrote:
> > >
> > >> So, if my telco can bill the callers for those premium calls, they
> > >> surely know who they are, or at least know where they are sending the
> > >> bill and getting payment from.
> > >
> > > You are mistaken, billing is very hard.
> > > Telcos show this regularly.
> > >
> >
> > On the contrary: billing is easy. Getting it right is hard.
>
> You are technically correct, the best kind of correct.
>
> Seriously though, a bunch of the conversation about shaken/stir and
> various problems with spam callers reveals:
>   "telcos don't care (for any reason you can imagine)"
>   "gov't mandates aren't  really going to help"
>   "people care as recipients of these calls, but really there are
> options for them as well to not get the calls (or not answer them)"
>
> I like that Mr Thomas's answer: "Why can't we just cryptpgraphically
> sign the caller's ANI and use that as a method to ID real callers we
> care about?"
> since that was my suggestion to the stir folk in their very first
> meeting... "what about ebony phones!" said the lawyer from
> telco-ville.
>

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[bzs]

On March 8, 2020 at 16:32 l...@satchell.net (Stephen Satchell) wrote:
 > On 3/8/20 4:00 PM, b...@theworld.com wrote:
 > > As I've said before what would likely work is if every time one of us
 > > (in the US anyhow) got a junk call we immediately called our
 > > congressional and/or senate office(s) and simply said "just got
 > > another junk call! (optionally add description.)"
 > 
 > Doesn't work.  I've been complaining both House and Senate offices every 
 > time CMS (Medicare billing arm) overcharges me $800 for my premiums. 
 > It's to the point that my elected officials will listen, then say "write 
 > a letter" (which I have done several times) and blow me off.
 > 
 > Nothing ever gets fixed.
 > 
 > BBB has told me they don't take complaints about government entities.

I was thinking more in terms of millions of calls to congressional
offices per day, not individual requests for action.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Valdis Klētnieks]

On Sun, 08 Mar 2020 17:17:37 -0400, b...@theworld.com said:
> Which primarily leaves the question of why this Kabuki theater by the
> FCC et al pretending as if it's some vast, uncontrollable evil like
> the corona virus etc.?

Because even in today's climate of regulatory capture posing as proper
oversight, there's a limit to just how blatant they can be in public before
people start saying "Geez, get a room already".


pgpkPplNyHswx.pgp
Description: PGP signature

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Stephen Satchell]

On 3/8/20 4:00 PM, b...@theworld.com wrote:

As I've said before what would likely work is if every time one of us
(in the US anyhow) got a junk call we immediately called our
congressional and/or senate office(s) and simply said "just got
another junk call! (optionally add description.)"


Doesn't work.  I've been complaining both House and Senate offices every 
time CMS (Medicare billing arm) overcharges me $800 for my premiums. 
It's to the point that my elected officials will listen, then say "write 
a letter" (which I have done several times) and blow me off.


Nothing ever gets fixed.

BBB has told me they don't take complaints about government entities.

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[bzs]

I do the same, don't say anything when I pick up an unknown caller id
until they say something, they disconnect about half or more of the
time tho not always.

As I've said before what would likely work is if every time one of us
(in the US anyhow) got a junk call we immediately called our
congressional and/or senate office(s) and simply said "just got
another junk call! (optionally add description.)"

The abuse works because we each suffer it alone.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[bzs]

Point taken.

On March 8, 2020 at 15:06 dam...@google.com (Damian Menscher) wrote:
 > On Sun, Mar 8, 2020 at 2:18 PM  wrote:
 > 
 > 
 > It's really not analogous to most of the mass attacks on the net
 > because the entire telco system is built to know who is using it in
 > great detail.
 > 
 > 
 > You don't think transit providers bill their customers?
 > 
 > The analogy holds surprisingly well.  Any transit provider (or other ISP) 
 > could
 > trivially identify their customers who are launching spoofed attacks, simply 
 > by
 > looking for a high volume of SYN packets, or a high diversity of source ASNs,
 > or several other signals.  But instead they pretend it's "hard", just as the
 > telcos do.  In reality, the only thing that's hard about it is the policy
 > decision of turning away money.
 > 
 > Damian
 > 
 > 
 > Have you ever made a billable call and *not* been billed for it?
 > 
 > If you're getting the same "Hi, this is  from card holder
 > services" calls like everyone else, or auto warranty etc etc etc, that
 > means they're making millions of calls per day, possibly hundreds of
 > millions...per day.
 > 
 > No one makes many millions of voice calls without paying the telcos.
 > 
 > If you don't believe me try it. You'll have a swat team at your home
 > or office (or possibly a telco sales person) probably after just
 > hundreds of calls and you'll be blocked, shut down.
 > 
 > The telcos are making a lot of money on these calls.
 > 
 > They know exactly who is making them because they know exactly who
 > they're sending that bill to and their payment history.
 > 
 > Which primarily leaves the question of why this Kabuki theater by the
 > FCC et al pretending as if it's some vast, uncontrollable evil like
 > the corona virus etc.?
 > 
 > --
 >         -Barry Shein
 > 
 > Software Tool & Die    | b...@theworld.com             | http://
 > www.TheWorld.com
 > Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
 > The World: Since 1989  | A Public Information Utility | *oo*
 > 

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Stephen Satchell]

On 3/8/20 9:59 AM, Damian Menscher via NANOG wrote:

In the robocall case, there*is*  something the end user can do to fight the
abuse: answer every call, and keep them on the line as long as possible.
They are paying for connected calls, for the connection duration, and for
the humans to scam people.  If everyone tarpitted them, the business model
would fail.


+1

When I recognize the name and number on caller ID, I'll answer in the 
usual manner.


I answer calls when I don't recognize the name or number, but say 
nothing.  The caller then drops the connection, usually in 10 seconds -- 
and I hear the disconnect -- and usually my cordless phone's base 
station notices the disconnect as well.  (Yes, I still have a standard 
POTS line.)


What if it's an unknown person but otherwise valid and not robo-call? 
They will notice the ringback tone stopping and will say "Hello, hello?" 
at which point I can have a conversation.  (Some robocallers will notice 
the ringback tone stopping and start their automated spew, at which 
point I press "Off.")


This helps keep my blood pressure low, keeps my answering machine from 
filling up with useless calls, and I feel good that someone just spent a 
nickle for nothing.

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Damian Menscher via NANOG]

On Sun, Mar 8, 2020 at 2:18 PM  wrote:

>
> It's really not analogous to most of the mass attacks on the net
> because the entire telco system is built to know who is using it in
> great detail.
>

You don't think transit providers bill their customers?

The analogy holds surprisingly well.  Any transit provider (or other ISP)
could trivially identify their customers who are launching spoofed attacks,
simply by looking for a high volume of SYN packets, or a high diversity of
source ASNs, or several other signals.  But instead they pretend it's
"hard", just as the telcos do.  In reality, the only thing that's hard
about it is the policy decision of turning away money.

Damian

Have you ever made a billable call and *not* been billed for it?
>
> If you're getting the same "Hi, this is  from card holder
> services" calls like everyone else, or auto warranty etc etc etc, that
> means they're making millions of calls per day, possibly hundreds of
> millions...per day.
>
> No one makes many millions of voice calls without paying the telcos.
>
> If you don't believe me try it. You'll have a swat team at your home
> or office (or possibly a telco sales person) probably after just
> hundreds of calls and you'll be blocked, shut down.
>
> The telcos are making a lot of money on these calls.
>
> They know exactly who is making them because they know exactly who
> they're sending that bill to and their payment history.
>
> Which primarily leaves the question of why this Kabuki theater by the
> FCC et al pretending as if it's some vast, uncontrollable evil like
> the corona virus etc.?
>
> --
> -Barry Shein
>
> Software Tool & Die| b...@theworld.com |
> http://www.TheWorld.com
> Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
> The World: Since 1989  | A Public Information Utility | *oo*
>

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[bzs]

It's really not analogous to most of the mass attacks on the net
because the entire telco system is built to know who is using it in
great detail.

Have you ever made a billable call and *not* been billed for it?

If you're getting the same "Hi, this is  from card holder
services" calls like everyone else, or auto warranty etc etc etc, that
means they're making millions of calls per day, possibly hundreds of
millions...per day.

No one makes many millions of voice calls without paying the telcos.

If you don't believe me try it. You'll have a swat team at your home
or office (or possibly a telco sales person) probably after just
hundreds of calls and you'll be blocked, shut down.

The telcos are making a lot of money on these calls.

They know exactly who is making them because they know exactly who
they're sending that bill to and their payment history.

Which primarily leaves the question of why this Kabuki theater by the
FCC et al pretending as if it's some vast, uncontrollable evil like
the corona virus etc.?

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[bzs]

On March 7, 2020 at 14:54 s...@donelan.com (Sean Donelan) wrote:
 > 
 > Has encryption ever solved scams/fraud/spam?
 > 
 > Extended Validation SSL Certificates - Just pay a Certificate Authority 
 > more money
 > 
 > DKIM signed email - Just pay a mail provider more money to blast email
 > 
 > SWIFT encrypted payments - Just find the weakest bank somewhere in the 
 > world

DKIM will be incredibly effective when we deploy a reputation database
as I was scolded at by someone who was deeply involved in all this in
2003 when I expressed some skepticism.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[bzs]

On March 7, 2020 at 02:03 morrowc.li...@gmail.com (Christopher Morrow) wrote:
 > On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell  
 > wrote:
 > 
 > > So, if my telco can bill the callers for those premium calls, they
 > > surely know who they are, or at least know where they are sending the
 > > bill and getting payment from.
 > 
 > You are mistaken, billing is very hard.
 > Telcos show this regularly.

Telcos have been described as vast and efficient billing systems with
some minor voice service functions attached.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Mike Hammett]

Send them all to Lenny! 

If Apple and Google implemented a "Forward to Lenny" option in their OSes, robo 
calls would drop dramatically. :-) 





- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Damian Menscher via NANOG"  
To: "Brian J. Murrell"  
Cc: "NANOG mailing list"  
Sent: Sunday, March 8, 2020 11:59:07 AM 
Subject: Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls 



On Fri, Mar 6, 2020 at 8:05 PM Brian J. Murrell < br...@interlinx.bc.ca > 
wrote: 



On Fri, 2020-03-06 at 18:37 -0500, b...@theworld.com wrote: 
> 
> Why don't they just ask the phone companies who are billing these 
> robocallers who they are and we can arrest them. 

Exactly. 

I have always maintained that if my phone number were one of those 
"premium" numbers (1-976 -- maybe I am dating myself but you know what 
I mean -- where calls to it were billed at $5/min), I am sure that my 
telco (the one providing me the premium number on my the phone line 
that runs into my location) would always know exactly who to send the 
bill to for every call that called my number, including robocallers[1]. 

So, if my telco can bill the callers for those premium calls, they 
surely know who they are, or at least know where they are sending the 
bill and getting payment from. 

But who are we kidding? The telcos have been making money hand over 
fist with robocalls and are not really all that motivated to dry up 
that revenue stream. Regulation (as much as I hate it in general) is 
the only solution. 

Making the allowing of robocalls more expensive than preventing them is 
the only solution. Whether that is through fines as a result of 
regulation or otherwise. 





This is similar to the BCP38 problem of spoofed packets making their way onto 
the internet. The recipient has no way of knowing which packets are spoofed, 
but with (sampled) netflow/sflow, the origin of a flood of traffic *can* be 
traced, even if spoofed. And, once traced, it *can* be filtered. The fact 
transit providers don't do this traceback and filtering today is simply because 
it would cost money, and they make more money carrying the traffic (and also 
the amplified DDoS traffic it causes). The only solution is to make it more 
expensive to facilitate criminal activity than to prevent it. I think we're 
seeing the beginnings of this in the telco industry, and I hope it carries over 
to the internet. 


In the robocall case, there *is* something the end user can do to fight the 
abuse: answer every call, and keep them on the line as long as possible. They 
are paying for connected calls, for the connection duration, and for the humans 
to scam people. If everyone tarpitted them, the business model would fail. 


Damian 

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Damian Menscher via NANOG]

On Fri, Mar 6, 2020 at 8:05 PM Brian J. Murrell 
wrote:

> On Fri, 2020-03-06 at 18:37 -0500, b...@theworld.com wrote:
> >
> > Why don't they just ask the phone companies who are billing these
> > robocallers who they are and we can arrest them.
>
> Exactly.
>
> I have always maintained that if my phone number were one of those
> "premium" numbers (1-976 -- maybe I am dating myself but you know what
> I mean -- where calls to it were billed at $5/min), I am sure that my
> telco (the one providing me the premium number on my the phone line
> that runs into my location) would always know exactly who to send the
> bill to for every call that called my number, including robocallers[1].
>
> So, if my telco can bill the callers for those premium calls, they
> surely know who they are, or at least know where they are sending the
> bill and getting payment from.
>
> But who are we kidding?  The telcos have been making money hand over
> fist with robocalls and are not really all that motivated to dry up
> that revenue stream.  Regulation (as much as I hate it in general) is
> the only solution.
>
> Making the allowing of robocalls more expensive than preventing them is
> the only solution.  Whether that is through fines as a result of
> regulation or otherwise.
>

This is similar to the BCP38 problem of spoofed packets making their way
onto the internet.  The recipient has no way of knowing which packets are
spoofed, but with (sampled) netflow/sflow, the origin of a flood of traffic
*can* be traced, even if spoofed.  And, once traced, it *can* be filtered.
The fact transit providers don't do this traceback and filtering today is
simply because it would cost money, and they make more money carrying the
traffic (and also the amplified DDoS traffic it causes).  The only solution
is to make it more expensive to facilitate criminal activity than to
prevent it.  I think we're seeing the beginnings of this in the telco
industry, and I hope it carries over to the internet.

In the robocall case, there *is* something the end user can do to fight the
abuse: answer every call, and keep them on the line as long as possible.
They are paying for connected calls, for the connection duration, and for
the humans to scam people.  If everyone tarpitted them, the business model
would fail.

Damian

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Eric Tykwinski]

Totally agree with you there, I run a mail server/monitoring server on OVH.  
With TLSA records, DKIM, and MTA-STS, I’ll still see junk filters on it if I 
accidentally email someone other than myself.  Yes my space has been SWIP’d and 
I send so low email volume so it’s reputation would be neutral at best which 
very much justifies the spam filters due to OVH’s reputation.  Somehow I don’t 
think SHAKEN/STIR would be any different.

I wonder how far this would go on VoIP transit.  I purchase from voicetel.com 
 for my house, which purchases from some other providers, 
which probably aggregates to others.  It doesn’t seem like this is quite as 
easy as looking up a whois from ARIN.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Mar 7, 2020, at 7:46 PM, John R. Levine  wrote:
> 
>> Most DNS registers avoid verifying customer information as long as the 
>> payment clears (for a short time).  DKIM (and DNSSEC) is built on top of 
>> trusting tokens from third-parties which disclaim all liability.
> 
> Right.  The only promise that DKIM makes is that if you have a stream of mail 
> signed by the same domain, you can praise or blame the same entity for it.  
> It's a handle that recipient systems can use to build a reputation system, 
> not a whitelist.  DKIM has worked this way since 2006, the documentation is 
> entirely clear that's what it does, and I'm kind of surprised you haven't 
> gotten the memo.
> 
>> Phone companies and advertisers have already demonstrated they can't be 
>> trusted to act as third-party introducers.
> 
> No kidding.  I've talked to people at big telcos who are in the middle of 
> STIR/SHAKEN and they tell me they plan to use it pretty much the same way 
> that mail providers use DKIM.  Some senders will have a good reputation and 
> their calls will be delivered, some won't, and not so much. As with mail, it 
> also provides a handle to push back on people sending unwanted junk.
> 
>> Eventually we'll have STE/STU-equivalent end-to-end verification on our 
>> smartphones.
> 
> That's known not to work for e-mail spam, so I can't imagine why anyone would 
> expect it to work for phone calls.
> 
> Regards,
> John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for 
> Dummies",
> Please consider the environment before reading this e-mail. https://jl.ly

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[John R. Levine]

Most DNS registers avoid verifying customer information as long as the 
payment clears (for a short time).  DKIM (and DNSSEC) is built on top of 
trusting tokens from third-parties which disclaim all liability.


Right.  The only promise that DKIM makes is that if you have a stream of 
mail signed by the same domain, you can praise or blame the same entity 
for it.  It's a handle that recipient systems can use to build a 
reputation system, not a whitelist.  DKIM has worked this way since 2006, 
the documentation is entirely clear that's what it does, and I'm kind of 
surprised you haven't gotten the memo.


Phone companies and advertisers have already demonstrated they can't be 
trusted to act as third-party introducers.


No kidding.  I've talked to people at big telcos who are in the middle 
of STIR/SHAKEN and they tell me they plan to use it pretty much the same 
way that mail providers use DKIM.  Some senders will have a good 
reputation and their calls will be delivered, some won't, and not so much. 
As with mail, it also provides a handle to push back on people sending 
unwanted junk.


Eventually we'll have STE/STU-equivalent end-to-end verification on our 
smartphones.


That's known not to work for e-mail spam, so I can't imagine why anyone 
would expect it to work for phone calls.


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Michael Thomas]

On 3/7/20 3:53 PM, Sean Donelan wrote:

On Sat, 7 Mar 2020, John Levine wrote:

This must be some DKIM other than the one the IETF standardized and
every large mail provider uses to manage mail streams.  There's no
CA's, you publish your own verification key in your DNS, and it costs
nothing beyond the software upgrades to use.


Most DNS registers avoid verifying customer information as long as the 
payment clears (for a short time).  DKIM (and DNSSEC) is built on top 
of trusting tokens from third-parties which disclaim all liability.



That's not how DKIM works at all. Even a little bit.

Mike

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Sean Donelan]

On Sat, 7 Mar 2020, John Levine wrote:

This must be some DKIM other than the one the IETF standardized and
every large mail provider uses to manage mail streams.  There's no
CA's, you publish your own verification key in your DNS, and it costs
nothing beyond the software upgrades to use.


Most DNS registers avoid verifying customer information as long as the 
payment clears (for a short time).  DKIM (and DNSSEC) is built on top of 
trusting tokens from third-parties which disclaim all liability.


Cryptography is not magic pixie dust.  It won't create trust between 
unknown parties.  Cryptography works between parties already known to 
each other to verify existing trust. Phone companies and advertisers have 
already demonstrated they can't be trusted to act as third-party 
introducers.  They are more than willing to sell-out that trust to the 
highest bidder.


The reality is my phone already knows the numbers of my circle of friends 
and loved ones.  Overseas call centers randomly generating phone numbers 
aren't matching the subset of phone numbers that cause my phone to ring.
When the scammers start matching social media circles and phone numbers, 
then I'll need something new.


Eventually we'll have STE/STU-equivalent end-to-end verification on our 
smartphones.

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[John Levine]

In article  you write:
>
>Has encryption ever solved scams/fraud/spam?

No, but signatures have helped so you can more easily identify known
friends and concentrate the analysis on the rest.

>DKIM signed email - Just pay a mail provider more money to blast email

This must be some DKIM other than the one the IETF standardized and
every large mail provider uses to manage mail streams.  There's no
CA's, you publish your own verification key in your DNS, and it costs
nothing beyond the software upgrades to use.

R's,
John

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Michael Thomas]

On 3/7/20 11:54 AM, Sean Donelan wrote:


Has encryption ever solved scams/fraud/spam?

Extended Validation SSL Certificates - Just pay a Certificate 
Authority more money


DKIM signed email - Just pay a mail provider more money to blast email

SWIFT encrypted payments - Just find the weakest bank somewhere in the 
world




it takes an ecosystem, authentication being one tool. before we did dkim 
practically nobody was using smtp auth. i would like to think that the 
accountability end of dkim's "blame us" had some effect, but it was 
probably in the water at the time.


Mike

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Sean Donelan]

Has encryption ever solved scams/fraud/spam?

Extended Validation SSL Certificates - Just pay a Certificate Authority 
more money


DKIM signed email - Just pay a mail provider more money to blast email

SWIFT encrypted payments - Just find the weakest bank somewhere in the 
world

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Christopher Morrow]

On Sat, Mar 7, 2020 at 1:11 PM Michael Thomas  wrote:
>
>
> On 3/7/20 9:53 AM, Christopher Morrow wrote:
> > On Sat, Mar 7, 2020 at 4:10 AM Bryan Holloway  wrote:
> >>
> >> On 3/7/20 8:03 AM, Christopher Morrow wrote:
> >>> On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell  
> >>> wrote:
> >>>
>  So, if my telco can bill the callers for those premium calls, they
>  surely know who they are, or at least know where they are sending the
>  bill and getting payment from.
> >>> You are mistaken, billing is very hard.
> >>> Telcos show this regularly.
> >>>
> >> On the contrary: billing is easy. Getting it right is hard.
> >
> >
> > I like that Mr Thomas's answer: "Why can't we just cryptpgraphically
> > sign the caller's ANI and use that as a method to ID real callers we
> > care about?"
> > since that was my suggestion to the stir folk in their very first
> > meeting... "what about ebony phones!" said the lawyer from
> > telco-ville.
>
> Well to be clear, i think it's high time to just ignore the old pstn
> identity stuff altogether and just use the SIP From.

that too was my message 12 yrs ago... I thought:
  1) cell phones and anything like a cell phone (sip things)  can 'just do this'
  2) anything not in category1 could have the data stamped by the
thing electrically connected to it (in the CO)

really, this isn't TOO hard, and it enables a new business in the
'directory of certs' business...
and clear info to the endpoints about the caller:
  "This number says 1900-foo-bart, but that's not matching the Cert I
have for FooBart services? fake-call!"

lots of good options there, little interest from 'telco lawyer troll'
in the room. #ebonyphone!

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Michael Thomas]

On 3/7/20 9:53 AM, Christopher Morrow wrote:

On Sat, Mar 7, 2020 at 4:10 AM Bryan Holloway  wrote:


On 3/7/20 8:03 AM, Christopher Morrow wrote:

On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell  wrote:


So, if my telco can bill the callers for those premium calls, they
surely know who they are, or at least know where they are sending the
bill and getting payment from.

You are mistaken, billing is very hard.
Telcos show this regularly.


On the contrary: billing is easy. Getting it right is hard.



I like that Mr Thomas's answer: "Why can't we just cryptpgraphically
sign the caller's ANI and use that as a method to ID real callers we
care about?"
since that was my suggestion to the stir folk in their very first
meeting... "what about ebony phones!" said the lawyer from
telco-ville.


Well to be clear, i think it's high time to just ignore the old pstn 
identity stuff altogether and just use the SIP From.


Mike

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Christopher Morrow]

On Sat, Mar 7, 2020 at 4:10 AM Bryan Holloway  wrote:
>
>
> On 3/7/20 8:03 AM, Christopher Morrow wrote:
> > On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell  
> > wrote:
> >
> >> So, if my telco can bill the callers for those premium calls, they
> >> surely know who they are, or at least know where they are sending the
> >> bill and getting payment from.
> >
> > You are mistaken, billing is very hard.
> > Telcos show this regularly.
> >
>
> On the contrary: billing is easy. Getting it right is hard.

You are technically correct, the best kind of correct.

Seriously though, a bunch of the conversation about shaken/stir and
various problems with spam callers reveals:
  "telcos don't care (for any reason you can imagine)"
  "gov't mandates aren't  really going to help"
  "people care as recipients of these calls, but really there are
options for them as well to not get the calls (or not answer them)"

I like that Mr Thomas's answer: "Why can't we just cryptpgraphically
sign the caller's ANI and use that as a method to ID real callers we
care about?"
since that was my suggestion to the stir folk in their very first
meeting... "what about ebony phones!" said the lawyer from
telco-ville.

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls (fwd)

[John R. Levine]

In article ,
Christopher Morrow  wrote:

On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell 
wrote:

> So, if my telco can bill the callers for those premium calls, they
> surely know who they are, or at least know where they are sending the
> bill and getting payment from.

You are mistaken, billing is very hard.  Telcos show this regularly.


For anyone who hasn't been paying attention, there are no 900 numbers any more,
the last carrier having exited the business a few years back.  As far as I can
tell there are no premium rate NXX-976 numbers either.  The advent of cell
phones made them unworkable, since there's no way to charge anything back to a
prepaid phone.

--
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Bryan Holloway]

On 3/7/20 8:03 AM, Christopher Morrow wrote:

On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell  wrote:


So, if my telco can bill the callers for those premium calls, they
surely know who they are, or at least know where they are sending the
bill and getting payment from.


You are mistaken, billing is very hard.
Telcos show this regularly.



On the contrary: billing is easy. Getting it right is hard.

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Christopher Morrow]

On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell  wrote:

> So, if my telco can bill the callers for those premium calls, they
> surely know who they are, or at least know where they are sending the
> bill and getting payment from.

You are mistaken, billing is very hard.
Telcos show this regularly.

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Brian J. Murrell]

On Fri, 2020-03-06 at 18:37 -0500, b...@theworld.com wrote:
> 
> Why don't they just ask the phone companies who are billing these
> robocallers who they are and we can arrest them.

Exactly.

I have always maintained that if my phone number were one of those
"premium" numbers (1-976 -- maybe I am dating myself but you know what
I mean -- where calls to it were billed at $5/min), I am sure that my
telco (the one providing me the premium number on my the phone line
that runs into my location) would always know exactly who to send the
bill to for every call that called my number, including robocallers[1].

So, if my telco can bill the callers for those premium calls, they
surely know who they are, or at least know where they are sending the
bill and getting payment from.

But who are we kidding?  The telcos have been making money hand over
fist with robocalls and are not really all that motivated to dry up
that revenue stream.  Regulation (as much as I hate it in general) is
the only solution.

Making the allowing of robocalls more expensive than preventing them is
the only solution.  Whether that is through fines as a result of
regulation or otherwise.

Cheers,
b.

[1] I remember hearing a story of a guy, in the UK I think, that got a
premium number and then printed business cards with it on it and then
ran around a trade show handing out the cards.  That seems kind of
shady, but the idea of getting a premium number and having it
criminally sold to telemarketers, phishers and scammers makes me giddy.

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[bzs]

On March 6, 2020 at 17:34 s...@donelan.com (Sean Donelan) wrote:
 > 
 > https://www.fcc.gov/document/chairman-pai-proposes-mandating-stirshaken-combat-robocalls
 > 
 > Federal Communications Commission Chairman Ajit Pai today proposed a major 
 > step forward to further the FCC’s efforts to protect consumers against
 > spoofed robocalls: new rules requiring implementation of caller ID 
 > authentication using socalled “STIR/SHAKEN” technological standards. 
 > STIR/SHAKEN enables phone companies to verify the accuracy of caller ID 
 > information that is transmitted with a call. Industry-wide
 > implementation would reduce the effectiveness of illegal spoofing, allow 
 > law enforcement to identify bad actors more easily, and help phone 
 > companies identify calls with illegally spoofed caller ID information 
 > before those calls reach their subscribers.
 > 
 > The FCC will vote on these new rules during its Open Meeting on March 31.

Why don't they just ask the phone companies who are billing these
robocallers who they are and we can arrest them.

[

And if your urge is to jump on your keyboard and deny the telcos know
exactly who they are please ask yourself if you really know or are you
just defending some world view based on nothing really other than
you're uncomfortable with such treachery.

Last time we went around this several weeks ago people who actually
truly have worked in the telco biz on exactly this sort of thing
responded yes, exactly, the telcos know just who they are and do
indeed bill them for those robocalls.

]

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Clayton Zekelman]

Good luck supporting it on legacy TDM 
switches.  I know work-around exist, but nobody 
wants to invest any money in modifying legacy gear.


At 05:34 PM 06/03/2020, Sean Donelan wrote:


https://www.fcc.gov/document/chairman-pai-proposes-mandating-stirshaken-combat-robocalls

Federal Communications Commission Chairman Ajit 
Pai today proposed a major step forward to 
further the FCC’s efforts to protect consumers against
spoofed robocalls: new rules requiring 
implementation of caller ID authentication using 
socalled “STIR/SHAKEN” technological 
standards. STIR/SHAKEN enables phone companies 
to verify the accuracy of caller ID information 
that is transmitted with a call. Industry-wide
implementation would reduce the effectiveness of 
illegal spoofing, allow law enforcement to 
identify bad actors more easily, and help phone 
companies identify calls with illegally spoofed 
caller ID information before those calls reach their subscribers.


The FCC will vote on these new rules during its Open Meeting on March 31.


--

Clayton Zekelman
Managed Network Systems Inc. (MNSi)
3363 Tecumseh Rd. E
Windsor, Ontario
N8W 1H4

tel. 519-985-8410
fax. 519-985-8409

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[Michael Thomas]

On 3/6/20 2:34 PM, Sean Donelan wrote:


https://www.fcc.gov/document/chairman-pai-proposes-mandating-stirshaken-combat-robocalls 



Federal Communications Commission Chairman Ajit Pai today proposed a 
major step forward to further the FCC’s efforts to protect consumers 
against
spoofed robocalls: new rules requiring implementation of caller ID 
authentication using socalled “STIR/SHAKEN” technological standards. 
STIR/SHAKEN enables phone companies to verify the accuracy of caller 
ID information that is transmitted with a call. Industry-wide
implementation would reduce the effectiveness of illegal spoofing, 
allow law enforcement to identify bad actors more easily, and help 
phone companies identify calls with illegally spoofed caller ID 
information before those calls reach their subscribers.


The FCC will vote on these new rules during its Open Meeting on March 31.



In my opinion, STIR/SHAKEN is solving the wrong problem. e.164 addresses 
are dinosaurs and pretty irrelevant for identity. Cryptographic 
protection of the From: address in SIP would be a lot more sane because 
we already know how to do that. Since it's basically an all SIP world 
these days, we should just retire e.164'isms and move on.


Mike