November 2012 Archives

Context is everything. The headline question is, of course, a troll. Authorization definitely matters, and especially within the context of the Computer Fraud and Abuse Act (CFAA), which is the trigger for this post. A fusillade of question around authorization cropped up last week thanks in large part to a blog post by @ErrataRob in which he states that the CFAA is dangerously vague and indeterminate on this question of authorization. In some ways he was right, but in others it was just misleading... to make matters worse, the coverage through the tech industry has been a touch fatalistic, trending toward uninformed and absurd... so, here goes my contribution! (read that as you will;)

The FCC recently announced updated rules around robocalling, and have even offered up a $50,000 prize for anyone who can invent a technology to stop robocalling altogether. In the spirit of helping out, I had a few ideas on how to help address the problem.

1) Add a new star code (similar to *69) that automates reporting spam. Hit a certain threshold and an investigation should be triggered. Hit a higher threshold and the number should get automatically shutdown.

2) Add digital voice analysis. This may not be overly acceptable to people as it implies monitoring their calls. However, if you compress the first, say, 30-60 seconds of the callers side of the conversation and produce a signature, then you should be able to start cataloging different recorded messages and heuristically stomping them out. On the down-side, this will inevitably create a cat-n-mouse game.

3) Improved legislation banning robocallers. It should be outright banned at this point, and there should be hefty penalties associated with it (financial AND criminal). As I've been known to point out on occasion, unbalancing the status quo is oftentimes just as effective as dictating specific requirements or prohibitions. The legislation should also mandate that all phone numbers be tied to known people who can be held accountable for improper behavior.

So, there you have it... 3 simple ideas... feasible? Perhaps, perhaps not... you know what they say about free advice... you almost always get your money's worth! ;)

I have re-enabled comments on the site, at least for the interim. In order to accomplish this, I've implemented a very wide set of IP CIDR blocks to take out the main spammers. I'll continue to monitor over time, as well as research alternative solutions. The worst-case scenario will be to permanently disable comments on the site. TBD.

Think we don't have enough cybersecurity professionals? Think we need better-educated cybersecurity professionals? You're in luck! Here's your opportunity to directly contribute to the future education of cybersecurity professionals!

The ISSA Education Foundation is a 501(c)3 public charity dedicated to furthering the development of cybersecurity professionals. From their "About Us" page:

So, please, head on over to their site and donate now!

Due to an apparent (presumably scripted) DOS attack against the comments script, comments have been temporarily disabled by my hosting provider. I'll be contacting them during business hours Friday to discuss options within someone a bit more senior than a tier 1 support tech. Until then, sorry, no comment for you!