more on How we got it wrong on Calling-Number ID [RISKS] Risks Digest 24.05

[David Farber <dave () farber net>]

Begin forwarded message:

From: Bob Frankston <Bob2-19-0501 () bobf frankston com>
Date: October 2, 2005 7:02:48 PM EDT
To: dave () farber net, 'Ip Ip' <ip () v2 listbox com>
Cc: 'Brad Templeton' <brad () templetons com>, Hiawatha Bray  
<h_bray () globe com>
Subject: RE: [IP] more on How we got it wrong on Calling-Number ID  
[RISKS] Risks Digest 24.05


Notice how much this parallels the DNS. At the same time the ITU is
insisting that ENUM meets their high standards for security.

It's a bit more difficult to see this with the DNS because as the many
message show -- there's a lot invested in the current DNS as people  
build
upon the simplistic assumption that someone is taking care of the hard
problems and now we can have business and mechanisms that take  
advantage of
the names in the DNS. To the extent it doesn't seem to quite work we  
hope a
few tweaks will solve the problems.

We see this less with Caller-ID because it's so limited and the  
simple end
point devices can't do much beyond block/nonblock. But sticking with  
that
assumption means we can't take advantage of the text messaging channel
rather than having to answer a "ring". Caller-ID doesn't even make it
across many network boundaries and the name is actually a reverse lookup
and not necessarily data. On a cell phone it looks it up in your address
book using a dumb algorithm.

I'll also respond to Hiawatha's question about what does it mean for  
Europe
to take control. It's a good question because "control of what". Here  
too,
we see piling on as if there were something real and intrinsic.  
Controlling
the DNS is seen as controlling the magic names that define the Internet.
Notice how often it's called "The Web" not The Internet because it's  
about
commerce and meaning not technology.

I realize my "beyond DNS" letter was opaque or too easily  
misinterpreted.
Explaining all the concepts requires far more than most would want to  
read.
So I'll try to stick to pointing out obvious absurdities while simply
noting that we don't have to use bad mechanisms because there are better
approaches. The reason we cling to what seems to work is what we want to
believe it works and thus look for confirmation rather than critical
examination.

-----Original Message-----
From: David Farber [mailto:dave () farber net]
Sent: Sunday, October 02, 2005 18:23
To: Ip Ip
Subject: [IP] more on How we got it wrong on Calling-Number ID [RISKS]
Risks Digest 24.05



Begin forwarded message:

From: Brad Templeton <btm () templetons com>
Date: October 2, 2005 6:07:54 PM EDT
To: David Farber <dave () farber net>
Cc: Ip Ip <ip () v2 listbox com>
Subject: Re: [IP] How we got it wrong on Calling-Number ID [RISKS]
Risks Digest 24.05



Unfortunately, just as caller-ID gets going, people are now learning it
has no authentication.   It's just a token passed along among providers,
with no trust rules or contracts, and lots of people have accounts
with providers that can provide fake caller id.  Furthermore since the
protocol was not designed with any means to authenticate it, it's
unlikely
to ever be authenticated.  It's more like the From line of email.

I met one fellow who runs around demonstrating to various voice mail
providers
who let you into your voice mail without a password if the caller-id
matches
the box owner how this allows any interested party into the mail
box.  Slowly
they are getting convinced to at least offer a passcode to the customer.

This is a shame, in that there would be a lot of applications which
could
be enabled by authenticated caller-id, not just quicker access to voice
mail.   Of course you would still want the option to not authenticate or
be anonymous when desired.




-------------------------------------
You are subscribed as BobIP () Bobf Frankston com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting- 
people/




-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/