[VOIPSEC] Truths on "Truth in Caller ID Act"

[Zmolek, Andrew (Andy)]

Satyam is correct, there was *NEVER* any system in place within or
between PSTN carriers that prevented ANI spoofing since from its
original introduction within ISDN to the present, except in a few very
limited (almost trivial) cases. If you google "ANI spoofing" you will
notice that many of the 1,400 results are not recent at all (though
newer items tend to be overrepresented at the top).

An ANI validation database *could* be created (though there are some
complex use cases such as outsourcing and common use cases such as trunk
provisioning across trunks of multiple carriers that present some design
challenges), but up to the present time I've not seen any carrier or
regulatory interest in making that happen. Perhaps the ease with which
ANI spoofing can be accomplished via VoIP will encourage more discussion
on this topic in the future.


/\\//\Y/\   Andy Zmolek  |  zmolek at avaya.com  |  303-538-6040 
            Senior Manager, Security Planning & Strategy
            GCS Security Technology Development  |  Avaya, Inc. 


-----Original Message-----
From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
Behalf Of styagi at sipera.com
Sent: Wednesday, October 04, 2006 9:21 AM
To: Mpierce1 at aol.com; voipsec at voipsa.org
Subject: Re: [VOIPSEC] Truths on "Truth in Caller ID Act"

Hi Mike,
   
  Just one correction
   
  >Before VOIP, we did not need this law, since the telephone system
ensured 
>that the CLI was correct,
   
  This is not true, all PRI trunks to PBX are not validated for caller
ID by the service provider. Ever sit in Kevin Mitnick's presentation he
sends calls to the participants phones from "white house".
   
  Even though an asterisk is used in his presentation for PRI trunk any
PBX could be used.
   
  VOIP just made (caller id spoofing) it free, easy and accessible for
every one. (Like all other features :-)
   
  Satyam