Comment by smallmancontrov
3 days ago
What ever happened to SHAKEN/STIR? I thought this was supposed to happen 5 years ago. Did they just chicken out on the prospect of actually shutting down telcos sending spam volume? I still get loads of spam phone calls, so clearly something went wrong (or slow enough to be indistinguishable from wrong).
I love a good tortured acronym:
> SHAKEN system, short for Signature-based Handling of Asserted information using toKENs [...]
> The name was inspired by Ian Fleming's character James Bond, who famously prefers his martinis "shaken, not stirred". STIR having existed already, the creators of SHAKEN "tortured the English language until [they] came up with an acronym."
https://en.wikipedia.org/wiki/STIR/SHAKEN
(Unrelatedly, seeing a slash used casually within the URL slug feels so wrong)
I like backronyms because it tells me someone with a soul was involved
LLMs are really good at making backronyms, in fact it might be one of the things they're best at. Try prompting any soulless overlord with "give me a backronym for <WORD> that relates to <SUBJECT>".
So maybe it's bad backronyms that demonstrate the soul. I don't know who's idea it was to allow a computer to generate whimsy, that should be interdicted by a fourth law of robotics.
2 replies →
I'm not certain, but I think on my phone incoming calls that fail SHAKEN/STIR show the caller id in red rather than black text. I'm on T-Mobile. It also shows "Number Verified" or something like that.
Now that you mention it, I believe I have seen a couple of red flagged calls, but I still get ~3 calls a day from a very aggressive business loan spammer, it's always a new number and never flagged.
That's because they are bulk purchasing numbers from voip providers, cycling through probably hundreds per day.
4 replies →
Anybody desperate enough to consider telemarketed merchant cash advances (MCAs) should look into them very carefully first. The contracts often have stipulations that allow them to draw money from your bank account at will, penalty interest rates that jump up 400% APR, have been known to use mafia enforcers to violently extract payments, and the list goes on. There was a more perfect union video (titled something about texting back a loan shark) with a bracing, if sensationalized, look at some of the worst ones.
1 reply →
According to a defcon talk, spammers just make sure all their spam gets routed through legacy TDM systems which discard the shaken/stir header because they're too old to support it. The other side then re-adds a "we got this from somewhere that didn't support this header" header.
> legacy TDM systems
Easy fix. It should be opt-in to accept a call that is routed through one of these. I know they allow it so some grandma in rural France that still uses a dial phone on a copper line that hasn't been touched since 1962 can call her son in New York, but for the rest of us who are not in that situation, we can just blacklist all those calls and lose nothing. This would even fix spam for the people who opt-in, because so few people have grandmas in rural France that it's not worth it for the spammers to bother anymore.
> Easy fix. It should be opt-in to accept a call that is routed through one of these.
Easier (and correct) fix: Telecoms operators should not be permitted to provide transit to a call that's routed through one of these.
> I know they allow it so some grandma in rural France that still uses a dial phone on a copper line that hasn't been touched since 1962...
This doesn't make sense. Even my inexpensive Mikrotik switches can augment packets with the ID of the port that they originated from. I do not believe for even a second that Telecoms Grade switching equipment is unable to do the same. The fact that that grandma can send and receive calls tells you that both that that equipment exists and that it knows what port her phone is connected to.
7 replies →
It is opt/in. There's three categories (according to that defcon talk): call originates from the number it says it does, call originates from our network but we're not sure about the number, and call came to us unverified (only allowed by regulation on legacy links).
Now, operators of those legacy links make A LOT of money for operating them since they carry 100% of the country's spam traffic, and they're not going to shut them down just because you think they should. The government would have to make them do it and they'll pretend upgrading is super expensive.
5 replies →
I am, more in tune with "just get it over with" than ever. Ipv6? 25 years of this crap? should have just said, Jan 1 2001, all routers must support 64 bit ipv4 addresses. Like the chrome HTTPS switch over, JUST DO IT
1 reply →
Just because a call is a spam call doesn't mean it is spoofed. STIR/SHAKEN ends spoofing but anyone can ultimately buy a phone and make calls that are spammy.
Spoofing isn’t ended at all
Almost every spam call has that I get, is spoofed.
Someone here explained it, once.
I think the spoofed calls use a legacy transport tech that can’t be forced to validate.
Can't that legacy transport be blocked / not-be-peered with then? That's what usually happens with old insecure tech that is being phased out.
How do you verify it is spoofed? Have you asked your carrier to drop unverified calls from your service?
7 replies →
Sure, but with phone numbers that can't be spoofed, telcos can terminate service, and filtering technologies can block calls. Spam gets expensive if you have to buy new service every five calls.
It does. But the spammers still do it. Because eventually they hit one person who gives them a thousand dollars or whatever and it pays off.
1 reply →
Nobody is making spam calls with cell phones. Spammers use VOIP services and old TDM systems.
There’s SIM card banks for SMS spam… I’d be surprised if there wasn’t anything similar for calling. Not that I support this bill but it is a thing.
2 replies →
STIR/SHAKEN up to this point has only been a self-certification that a telecom company has the right to use a number. What the FCC is trying to do is set up a legal obligation for the STIR/SHAKEN header to match a KYC verified identity.
If the FCC implements this, I expect a lot litigation because of the burden and legal liability this would place on telecom and VOIP companies. There are other less burdensome approaches to preventing spam that the FCC has not tried.
I am constantly amazed how few people understand that preventing spam is below the last thing the FCC is actually interested in.
First of all, the decision makers at the FCC profit from directly from spam, Christ.
Secondly, the indirect value of spam to the FCC is that it helps to justify initiatives to ruin the privacy of ordinary people via the constant push for KYC.
Just like "age verification", Flock cameras, license plate scanners, ubiquitous IoT with microphones and cameras, etc. Governments and corporations both profit from shredding every molecule of your privacy.
The FCC issued a report on this very subject[1]. TLDR, there have been four exceptions to the SHAKEN/STIR requirements:
- Providers that can't afford it implement it - Non-IP networks - Small voice service providers that originate calls via satellite using U.S. NANP - Providers that lack control over the network infrastructure necessary to implement
Nothing is going to change as long as those holes exist.
1: https://docs.fcc.gov/public/attachments/DOC-416732A1.pdf
The can't afford it exception is disappearing soon, as it isn't true for any business. Total setup costs for STIR/SHAKEN are under $2000 these days. Providers that lack control over the network infrastructure (i.e. they don't have the ability to control the stir/shaken headers so by definition they can't spoof numbers) will likely continue to be a thing as changing it would force pretty much every small business in the VOIP industry out of business and allow only large companies to be VOIP service providers.
> I thought this was supposed to happen 5 years ago. Did they just chicken out on the prospect of actually shutting down telcos sending spam volume?
It would certainly hurt a consumption-based economy, for starters.
Why would that hurt a consumption-based economy?
Telcos make money off of scammer activity.
1 reply →
It's a vector for advertising.
2 replies →