Disruptive Telephony

Is Craigslist really blocking phone numbers from VoIP service providers or pre-paid cell phones as an anti-spam measure?

Last night over on the VoIPinsider blog, Cory Andrews wrote that Craigslist is apparently blocking VoIP or prepaid cellular numbers as part of their anti-spam measures. Now I'm a huge fan of Craigslist and we've sold lots of items (including, now, our house) via Craigslist. But we've also seen the spam out there and personally been contacted in response to one of our ads by a sleazy individual who was trying to scam us out of money. Techdirt, in fact, says that the battle has been lost and that the spammers are taking over Craigslist. While it wasn't that dreadful in the Vermont Craigslist area, there certainly was some spam and you can understand the folks there wanting to do all they can to block spammers.

But to block VoIP service providers? Just as increasingly large numbers of users move over to VoIP services?

THE APPARENT ACTIONS

It seems a rather draconian - and misguided - measure. As the VoIP Insider article states:

A few months back, Craiglist instituted a telephone verification process that places an automated outbound call to a user placing a classified ad in certain categories. The call delivers a unique code using text to speech, which is then used by the poster to authenticate the ad they are placing.

This is an effective measure for dealing with spam, and a great thing for legitimizing the Craigslist user experience….but not so great if you are a Craigslist user and you also happen to be a VoIP or prepaid cellular user.

The problem is that Craigslist is categorically blocking legitimate VoIP and Pre-paid cellular users from authenticating themselves.

While I've not encountered the phone verification process in any posting I've done to Craigslist (but have seen CAPTCHA images all the time), I can see how the process would be useful in combatting spammers. The article goes on:

Craig’s uses a 3rd party service, ReduceFraud.com to screen out VoIP and Pre-paid cellular numbers, and will not deliver an automated verification call to a number that is determined to be such. (Since only SPAMMERS use VoIP and Pre-Paid Cellular!!!) What sophisticated algorithm does ReduceFraud.com use to identify VoIP numbers, you ask? They check the DID number to see who owns the NPA NXX X number block, and if the DID number is owned by Level 3 Communications, they classify it as VoIP of course. Whizbang!

Oops.

My immediate question was whether this is for all VoIP service providers. This BroadbandReports.com forum thread would seem to indicate that "fixed lines", even fixed VoIP lines, would come up as okay. So phone numbers from VoIP services from telephone carriers or cable providers would probably be okay. So it may just be the phone numbers of VoIP service providers who are not tied to a fixed infrastructure (and who provide connectivity to so many of the innovative services out there today!).

THE PROBLEM

There are, though, some fairly obvious problems with this approach to blocking phone calls:

1. LOCAL NUMBER PORTABILITY - Here in North America, phone numbers are "portable" (to a degree) via "Local Number Portability" (LNP) between carriers. So a phone number that may come up as "fixed" may in fact go to a VoIP service (and possibly to a spammer) due to LNP. Now perhaps the third-party service used by Craigslist is doing LNP database lookups.

2. FORWARDING SERVICES - There are plenty of services (including one identified in the VoIP Insider article) that will forward calls to another phone number. I could even do this easily with something like Asterisk running on my (fixed) home phone number that then forwarded the call out via SIP.

It seems to me that it would be relatively trivial for any serious spammer to obtain a "fixed" phone number that would defeat this blocking mechanism. Certainly this would block some of the less savvy spammers who are just trying to use disposable phone numbers... but in the meantime it may well block legitimate posters who happen to use telephone numbers from VoIP service providers.

THE ANSWERS?

So is Craigslist really blocking VoIP phone numbers? Garrett Smith (from VoIP Insider) indicated in an email that someone there was in touch with Craig and Craig indicated he was not personally aware of the blocking. Obviously, someone within the Craigslist organization has engaged this external company, ReduceFraud.com, in their ongoing efforts to fight spam. The blocking seems to lie in there. What needs to happen now is some conversation with those folks to understand what exactly it is they are doing.

We'll have some conversation, in any event, about this issue on today's Squawk Box at 11am US Eastern Time. Feel free to join us if you would like (you need to login via Facebook).

It's an interesting question - in the era when people can obtain cheap (even free) "disposable" phone numbers, how do you balance providing access to legitimate users while blocking using those numbers as a way to spam or perform other malicious actions?

Technorati Tags: craigslist, voip, spam, fraud

I was rather surprised but pleased to see that my "Black Back Security Review" was on the list of the "Top Ten IT Conversations Shows for March 2008". My "surprise" was mostly because that particular talk is over a year old and was given at the ETel 2007 show back at the end of February 2007.

To be honest, I was not actually aware (or didn't remember, anyway) that the IT Conversations Network had distributed my talk but I'm guessing they did so with a number of the ETel sessions.

Unfortunately, they don't include the slides, which I put up in the Blue Box posting and also just generally made available on SlideShare. Without the slides, I suppose it works perfectly fine.. I've just never listened to it that way. It was still one of the most fun presentations I've ever given. Also took a ton of time to prepare. 243 slides in 14 minutes... :-) (I did write up some notes about the presentation and the style, etc.)

Anyway, it's cool to see people discovering that session again. Nice surprise!

Technorati Tags: voip, voip security, dan york, etel

I'm down in Orlando this week for VoiceCon Orlando and will be part of three sessions. Tomorrow, I'm moderating a panel at 8am on VoIP security and on Thursday I'm moderating a panel on open source telephony. On Wednesday, I'll be part of a keynote panel with Irwin Lazar on "Social networking and enterprise communication", which should be quite fun. I'll include below the full descriptions of the various sessions. If you are attending VoiceCon and want to connect, please do contact me.

---

Session Title: Top VOIP Security Threats
Date: 3/18/2008
Time: 8:00 AM
Room: Osceola B
Session Description: There's been a lot of concern about voice over IP security, but have there been many actual exploits? This session will inform you about the state of VOIP security. You'll learn about generalized IP attacks that have affected IP telephony systems deployed on IP networks, and you'll also find out what VOIP-specific attacks have actually been observed "in the wild"--and what to expect in the future.
KEY QUESTIONS: * What are the most serious voice-oriented attacks that are actually being carried out? What potential attacks haven't occurred yet but probably will before long? * How do you protect your VOIP systems against these attacks? * What types of equipment and technologies must you implement to stop voice-oriented attacks? * What specific kinds of damage can these attacks cause?
Moderator(s): Dan York - Dir of Emerging Comm Tech - Voxeo
Panelist(s): Sachin Joglekar - Vulnerability Research Lead - Sipera Systems
David Endler - Director of Security Research - TippingPoint
Mark Collier - CTO - SecureLogix

---

Session Title: Open Source for Enterprise Voice: How Much, How Soon?
Date: 3/20/2008
Time: 11:45 AM
Room: Sun C
Session Description: Open source PBXs are gaining a higher profile: Asterisk and other open-source PBX software packages continue to gain acceptance, and some traditional PBX vendors have implemented open source code for their products. But these efforts still aim mainly at smaller implementations. In this session, you'll learn why open source PBX software has growing appeal, and whether it will appeal to larger customers as the market progresses.
KEY QUESTIONS: * What level of market share and acceptance has open source PBX software attained? What is expected? * Which products use open source PBX software? * What are the most compelling reasons for choosing open source PBX software? What are the greatest areas of concern in making this choice? * What are the technical challenges of an open-source PBX deployment, and how are these overcome? * What are some real-world customer experiences with open source PBX software?
Moderator(s): Dan York - Dir of Emerging Comm Tech - Voxeo
Speaker(s): M Raza - Product Management - 3Com
Bill Miller - VP, Prod Mgt & Mktg - Digium
Tony Pereira - Business Leader Business Communications - Nortel

---

Session Title: Social Networking Meets Enterprise Communications
Date: 3/19/2008
Time: 10:30 AM
Room: Osceola C
Session Description: It?s no secret that world of enterprise communications is undergoing a transformation; IP Telephony and Unified Communications are changing the nature of the game. Now new forms of interaction, which began in the consumer/personal communications market -- blogs, wikis and online services like Facebook ? are migrating into the enterprise. Where do these social networking systems ? and mindset ? fit into the enterprise communications landscape? Join us for a discussion about what?s real today and what?s likely to happen in the future.
Panelist(s):
Dan York - Dir of Emerging Comm Tech - Voxeo
Irwin Lazar - Principal Analyst & Program Director, Collaboration & Convergence - Nemertes Research

Technorati Tags: voicecon, voiceconorlando, asterisk, opensource, socialnetworking, communications, danyork, irwinlazar

Over the weekend, Pat Phelan posted about a sign in the UK that asks "What if someone with several (mobile phones) seems suspicious?" (Click on the image to the right to see the sign larger.) The paragraph then reads:

Terrorists need communication. They often collect and use many anonymous pay-as-you-go phones, as well as swapping SIM cards and handsets. If you're suspicious of the number of phones someone has, we need to know. Let experienced officers decide what action to take.

On one level, I do understand the point they are trying to make. But on another level, I just think of all the people I know who travel to trade shows and conferences with a whole range of cell phones!

Technorati Tags:
security, mobile phones, terrorism, UK

Over on the Voice of VOIPSA blog today I posted about a new session has been approved for the IETF 71 meeting coming up in Philadelphia in March called "Reducing Unwanted Communications using SIP" a.k.a. "RUCUS".Hannes Tschofenig, who submitted the proposal, has created a RUCUS web page and is looking for feedback. I'm planning to be at the RUCUS session at IETF 71 and would encourage others who want to talk about voice spam / SPIT to join in as well!

Technorati Tags: rucus, spit, spam, voice spam, voip, voip security, security, ietf, standards

If any of you will be in Miami next week for Internet Telephony Expo, I will be speaking on VOIPSA's behalf at Ingate's SIP Trunking Seminar Series held in conjunction with IT Expo. Predictably, my session from 8:30-9:45am on Thursday, January 24th is titled "Seminar/myth 1: VoIP is not secure".

If you are going to be down at IT Expo, do check out the full schedule for Ingate's SIP Trunking Seminar Series. They have a good range of speakers and the seminars are free.

If any of you are attending either IT Expo or the SIP Trunking Seminar Series, please do drop a note as I'm always interested in meeting readers.

Technorati Tags: sip, sip trunking, ingate, itexpo, conferences

In a few hours I'll be boarding a plane back to New York where I'll be attending Interop New York this afternoon and tomorrow. If any of you reading this will be there, please do drop an email. Tomorrow, I'll be on a panel at 2:45pm with Jonathan Rosenberg about "Voice-oriented Attacks". (Side note to Interop: Please make it so that we can link to individual sessions instead of having to link to the entire list of "security"-related sessions!) If you aren't aware of who Jonathan Rosenberg is, he works for Cisco and is a huge contributor to IETF efforts related to SIP and in fact was one of the co-authors of RFC 3261 which is the primary RFC defining SIP. He's also the author of "The Hitchhiker's Guide to SIP" which aims to help guide people through the maze of the many, many documents that now are part of "SIP". More relevant to tomorrow's session, he's also the author of a series of NAT traversal protocols for SIP, namely STUN, TURN and now ICE. Eric Krapf, the moderator of the session, is aiming to make it a more interactive and discussion-focused session (i.e. no slideware-to-death)... we'll see if we can make it fun as well. I've also asked Interop for permission to record it and run it as a Blue Box podcast - we'll see if they give me permission.

Note that if you are a CISSP, the ISC2 is holding a member reception today (Wednesday October 24, 2007) starting at 5:30 PM in Jacob Javits Center Room 1EO2 - LEVEL 1. Assuming that everything works with my flights today, I'll be there.

I'll even have some new business cards to give out... ;-)

Technorati Tags: cisco, conferences, danyork, interop, jonathanrosenberg, voip, voip security, voipsa, voxeo

To my immense surprise, my article yesterday about my challenges with Skype and my hotel Internet connection just hit TechMeme today, so welcome, anyone who is coming my way from there. But that also prompted me to want to offer up some additional thoughts on the subject.

First, I'm actually quite annoyed at the Best Western here in Ontario, CA, for essentially blocking Skype by virtue of their network security traffic policies. If travel shall bring me to Ontario, CA, again, you can be pretty sure that I will not be staying here. Skype has become an important communication tool for me and <cue violins>was the way I was intending to call home and stay in touch with my family</violins>. Skype has worked great at the hotel I was at earlier in the week in Phoenix and in fact at every other hotel I've been at lately. I do intend to contact Best Western to express my dissatisfaction at being unable to use the program.

Having said that, as a security professional I do understand WHY the security team at the Internet provider to this Best Western hotel has the policies in place that they do. As Phil Wolff commented, Skype's launch "can look like the beginning of port scanning or a bot-gone-wild". Given that this provider is dealing with hotel rooms where random strangers are connecting who-knows-what onto the network, they have to be extremely vigilant (especially because customers like me while complain quickly if Internet access is slow/unavailable). The more I think about it, hotel networks are really an absolute nightmare from a security point-of-view. You have no way to enforce virus protection, people can put all sorts of machines in all sorts of states onto the network, systems with spyware can easily be scanning/attacking your network -it's really pretty crazy and I'm glad that I'm not involved with running such a network! (Although the security geek in me would admit that the aggregate data they must get from network traffic would probably be fascinating.) However, there is probably a compromise out there where the ISP can tune its filtering rules so that if it sees such traffic and can identify it as Skype traffic, it can not trigger the MAC lock-out.

Which brings me to the final point that there's a lesson here for anyone developing P2P apps, or I suppose any other apps that have a similar traffic profile. If the apps generates traffic that looks like a bot or port scan, odds are that it will be blocked in some places like this one (and the hotel Phil was at). It would be great if developers could take that into account and either: a) naturally put in some kind of rate throttling; or b) perhaps provide a "hotel mode" where it throttles back the number of sessions to some (perhaps user-settable but with a default) value. This of course would make it longer for things like presence information to appear, but would at least let you continue to operate the program without triggering the network security alarms. Of course, you'd have to change to that mode, which many people would forget to do and wind up being locked out, but it might be an interesting "advanced" option for those who know what to do with it.

Any other "lessons learned" you see here?

Technorati Tags: P2P, security, skype

UPDATE: I have now posted some additional thoughts about this issue.

---

It's been a frustrating time here at the hotel in Ontario, CA, where all I've been trying to do is use the Internet connection. I'm staying at the Best Western and did so largely because they advertised free high-speed Internet (they were also cheaper than others). First annoyance was discovering that I was too far away from their APs to use wireless, but since I had an ethernet cable I just plugged into the wall jack and expected to get access. The very first time I connected, I did get an IP address and could see an entry in my routing table for the default gateway. However, I couldn't ping it.

Being rather used to network troubleshooting, I did the usual things... bringing the interface up and down, disconnecting and re-connecting the cable. I even went to the hotel lobby and got a new cable in case the issue was with my portable/retractable cable.

Nothing. No net.

In desperation I did the thing that tech support always tells you to do but I avoid... reboot. Nothing.

So finally this morning I got on the phone to the Best Western tech support and after waiting, oh, 20 minutes or so I got through to a tech and ultimately we figured out the problem:

Skype!

More specifically, all the bizillion connections that Skype was making out into the P2P cloud. The tech reset the switch and asked me to connect again and his immediate response was "Whoa! Something on your computer is generating an incredible number of sessions out to the Internet! You are tripping our filters and it is blocking out your MAC address." With him on the phone, we tried some experimentation. I shut down Skype, at which point he said I was generating much more normal traffic. As soon as I launched it again, he noticed a very large jump in the number of session connections I was establishing. He said it was something like 396 sessions he was seeing coming from my computer. He also said that I'll keep being locked out of their system if I keep Skype running.

So I shut down Skype. Which, of course, is annoying. Part of why I wanted to use the high-speed Internet is to use Skype for IM and for voice/video calls.

I find it a bit odd that Skype was generating so much extra traffic, but then again I am pretty much always connected into several persistent group chats and had maybe 8 or 10 individual chat windows still open that I'd left open from when I'd last been chatting with the person. (The Mac Skype client makes this easy to do, but I'll write about that sometime.) The persistent group chats, especially, do generate a good number of connections as they link out into the P2P cloud. Perhaps if I closed all of those windows and killed off all my individual chat windows Skype might have behaved better. (Or perhaps not, I might have had to leave the persistent chats in order for Skype to stop making those connections.) I don't want to try it out, because I do want to keep my Internet connection up right now.

In any event, should you be at a hotel and find yourself unable to connect... it might be a P2P app like Skype tripping off the hotel's filters and blocking your access. Fun, fun, fun....

Over on Blue Box, I uploaded on Friday what I consider one of the best overviews about SIP security that we've done: Blue Box Special Edition #20.  I recorded the interview out at VoiceCon San Francisco in August and it's with Cullen Jennings who is a Distinguished Engineer at Cisco Systems, but more relevant to SIP is one of the Area Directors for the Real-time Applications and Infrastructure (RAI) area within the IETF.  Basically all of the proposals for RFCs relating to SIP roll up under the RAI area.  Cullen's also quite interested in and knowledgeable about security and in fact several of the security-related RFCs related to SIP include Cullen as one of the authors (as do a number of the current proposed Internet-Drafts). 

So he knows his stuff... and being a frequent presenter, he's also good at distilling complex things down into more simple descriptions, so it was an enjoyable interview that I think you will also find quite educational.  If you're working with SIP, or considering it, I'd highly recommend you listen to the show.