Friday, August 10, 2007

SPIT and SPAM

As a guest today on Talk of the Nation, I covered a variety of topics relating to spam, which is growing faster than ever.

Responding to a call-in question about open source software, I speculated that Firefox is no more secure than IE. I based this on theoretical arguments that might apply if Firefox were as popular a target as IE, and if the settings were as flexible, but in reality what I said is wrong. Contrary to the suspicions of one angry podcaster (who issued a fatwa on my head!) I have no financial motivation to "lie" about Firefox. In fact, as an investor in Flock which builds on the Mozilla code, I am happy to be corrected about the security of Firefox.

I guess I also provoked disagreement from the other guest, Dechlan McCullagh of CNET, who was articulate, well-informed, and clearly more comfortable on radio than I. I made the prediction that one day email spam will pale in comparison to SPIT (SPam over Internet Telephony). With free VOIP calls, spammers can now use computers overseas to generate voice messages that they broadcast to every 10 digit telephone number in North America.

"Press 1 to join Party Chat! Sexy Singles are standing by..." "You've been pre-approved for a low-rate credit card! Press 1 to complete your application..." "Why pay so much for prescriptions? Press 1 to get a free month of medicine from Cayman Islands Pharmacy..."

They needn't pay for the calls, the human reps, or the lists of valid phone numbers (so unlisted cell phones are vulnerable). Email spam is bad enough, but when our phones ring constantly, the intrusion on our lives will be profoundly greater, and unlike email spam, SPIT will carry payloads that cannot be examined until after we accept the call.

Anyway, I predicted that one day we'll be forced to turn off our ringers altogether, marking the end of real time telephone conversations. Dechlan pointed out that we could simply choose to ignore calls from people we don't know, as one of his buddies does. Good idea, except that the spammers will use our friends' and family's phones to call us, just as they do today with email.

Blogged with Flock

4 comments:

  1. One possible way to fight phone spam is to use a PKI type system(ssl certs for the phone for example).


    Now the birth of such a system would require the annoyance of SPIT to drive people to:

    A. Purchase hardware/software that is capable of participating in such a system.

    B. People enrolling, configuring, maintaining and possibly paying for the system.

    C. Enduring a few missed or mishandled calls.

    The system would work something like this... providers would issue SSL type certificates to their subscribers. The users of the system could have the option of configuring their phone to ring if for example: the receiver has the number calling saved in their phone book and the certificate matches the number or the user is a US based subscriber with a valid certificate and ignore calls from anyone who is not part of the system.

    You would basically have a white list and black list as part of your service and rules about how to treat calls that meet or do not meet pre-defined rules.
    The list could be customize by location, certificate issuer integrity, certificate integrity.... etc.

    Misha

    ReplyDelete
  2. Michael,

    PKI would stop the spoofing of Caller ID, but it wouldn't stop malware on our phones (an inevitable reality) from exercising our contact lists to make the calls for the spammers.

    ReplyDelete
  3. Yep... you are absolutely correct. As we strive to make our phones more open and populate them with as many cool and useful features as possible while opening up methods for integrating them with everything from WiFi networks to cars, toasters and refrigerators we give up significant amounts of security in exchange for convenience. Some technology can probably be used to make phones more secure (store phonebook in encrypted format readable only if authorized user fingerprint is present in combination with phone ESN/IMEI... turn of blue tooth or wifi, whatever).

    The bottom line here is that fraud and scams have been around for ages. The eternal battle of good vs. evil that will never be won or lost. It's really up to the user to understand the risks before getting involved in a technology (Caveat emptor). The society will adopt and eventually figure out a way to deal with the problem by allowing the industry to monetize a solution and make it easily available and manageable. Then a new way to bug people will gain popularity and take advantage of yet another great technology :).


    Misha

    ReplyDelete
  4. Anonymous5:42 AM

    manageable. Then a new way to bug people will gain popularity and take advantage of yet another great technology :).

    ReplyDelete