[smallmancontrov]

What ever happened to SHAKEN/STIR? I thought this was supposed to happen 5 years ago. Did they just chicken out on the prospect of actually shutting down telcos sending spam volume? I still get loads of spam phone calls, so clearly something went wrong (or slow enough to be indistinguishable from wrong).

[Rendello]

I love a good tortured acronym:

> SHAKEN system, short for Signature-based Handling of Asserted information using toKENs [...]

> The name was inspired by Ian Fleming's character James Bond, who famously prefers his martinis "shaken, not stirred". STIR having existed already, the creators of SHAKEN "tortured the English language until [they] came up with an acronym."

https://en.wikipedia.org/wiki/STIR/SHAKEN

(Unrelatedly, seeing a slash used casually within the URL slug feels so wrong)

[idiotsecant]

I like backronyms because it tells me someone with a soul was involved

[Rendello]

LLMs are really good at making backronyms, in fact it might be one of the things they're best at. Try prompting any soulless overlord with "give me a backronym for <WORD> that relates to <SUBJECT>".

So maybe it's bad backronyms that demonstrate the soul. I don't know who's idea it was to allow a computer to generate whimsy, that should be interdicted by a fourth law of robotics.

[idiotsecant]

Agreed. Aggressively whimsical chatbots should be in the Geneva convention somewhere.

[ranger_danger]

You agree that LLMs are good at making backronyms yet they still make you feel like a human was involved?

[criddell]

I'm not certain, but I think on my phone incoming calls that fail SHAKEN/STIR show the caller id in red rather than black text. I'm on T-Mobile. It also shows "Number Verified" or something like that.

[smallmancontrov]

Now that you mention it, I believe I have seen a couple of red flagged calls, but I still get ~3 calls a day from a very aggressive business loan spammer, it's always a new number and never flagged.

[9cb14c1ec0]

That's because they are bulk purchasing numbers from voip providers, cycling through probably hundreds per day.

[derefr]

Do they actually need to purchase numbers to do that, though?

I always imagined that there are certain shady providers ("grey-market Twilio" sort of idea) that just let you run single outbound call/text requests through a giant pool of numbers shared with other customers of the service. Perhaps specifically a bank of residential numbers plugged into banks of regular cell phones, like a residential IP proxy service provider.

[bityard]

Somebody at some point is purchasing them, probably not the spammers/scammers themselves.

It's very unlikely anybody is placing spam/scam calls with regular cell phones when VoIP numbers are easy and cheap to get, and when VoIP systems are far easier to manage.

[tmp10423288442]

You would think that someone is getting real cell phone numbers, for the same reason scammers value residential IPs rather than data center IPs.

[DrewADesign]

Anybody desperate enough to consider telemarketed merchant cash advances (MCAs) should look into them very carefully first. The contracts often have stipulations that allow them to draw money from your bank account at will, penalty interest rates that jump up 400% APR, have been known to use mafia enforcers to violently extract payments, and the list goes on. There was a more perfect union video (titled something about texting back a loan shark) with a bracing, if sensationalized, look at some of the worst ones.

[dredmorbius]

Source(s) or reference(s) on this would be useful and appreciated.

[DrewADesign]

Hmmm… I wonder if the no-response downvotes are from people in the MCA business? Hmmmmmmmmmmmmmmm…

[inigyou]

According to a defcon talk, spammers just make sure all their spam gets routed through legacy TDM systems which discard the shaken/stir header because they're too old to support it. The other side then re-adds a "we got this from somewhere that didn't support this header" header.

[coldpie]

> legacy TDM systems

Easy fix. It should be opt-in to accept a call that is routed through one of these. I know they allow it so some grandma in rural France that still uses a dial phone on a copper line that hasn't been touched since 1962 can call her son in New York, but for the rest of us who are not in that situation, we can just blacklist all those calls and lose nothing. This would even fix spam for the people who opt-in, because so few people have grandmas in rural France that it's not worth it for the spammers to bother anymore.

[simoncion]

> Easy fix. It should be opt-in to accept a call that is routed through one of these.

Easier (and correct) fix: Telecoms operators should not be permitted to provide transit to a call that's routed through one of these.

> I know they allow it so some grandma in rural France that still uses a dial phone on a copper line that hasn't been touched since 1962...

This doesn't make sense. Even my inexpensive Mikrotik switches can augment packets with the ID of the port that they originated from. I do not believe for even a second that Telecoms Grade switching equipment is unable to do the same. The fact that that grandma can send and receive calls tells you that both that that equipment exists and that it knows what port her phone is connected to.

[mschuster91]

> I do not believe for even a second that Telecoms Grade switching equipment is unable to do the same.

The example should rather have been some telecom carrier in Africa or India. Telco equipment is expensive, the technology is ridiculously complex and getting companies especially in less well-off regions to replace aging stuff and updating it to modern standards is next to impossible. Think about it, the globally connected phone system includes countries where you get 10 GBit/s symmetric fiber in your home and it includes countries where people don't even have running water because they're so poor.

The fact that we in Western countries can have a realtime conversation with someone in the Saharan desert or in an Indian village that requires days worth of travel [1] is nothing short of a miracle.

[1] https://www.aljazeera.com/gallery/2024/5/8/an-election-booth...

[simoncion]

> Telco equipment is expensive...

Sure, agreed.

> ...the technology is ridiculously complex...

Odd. I could have sworn that Caller ID, Customer-initiated Dialback, "Tell me the number of my most recent caller", and "Keep calling this number for the next half hour, and ring me if the call is answered" were features that were available on the POTS since the early 1990s. I agree that the tech's complex, but the R&D for the stuff I'm talking about has been over and done with for at least thirty five years. There are adult HN users who have never lived in a world without this stuff.

> ...getting companies especially in less well-off regions to replace aging stuff and updating it to modern standards is next to impossible.

I don't see how that's the problem of "The West"? If it's actually a problem, instruct "Western" telecoms to send a couple-hundred-million dollars in last-gen equipment, along with the techs required to install it and let them declare its original purchase price and the full cost of the manpower as a tax credit.

> ...is nothing short of a miracle.

If we ignore the existence of long-range radio, and if this were prior to 1965 or -at latest- 1970, I might agree. But, like, we've had satellite telecommunications for nearly sixty years, terrestrial microwave transceivers for a couple of decades longer, and short- and long-wave transceivers for far, far longer than either.

Additionally... I don't know if you've noticed, but it's not uncommon to have a satellite phone in your pocket these days.

[mschuster91]

> I agree that the tech's complex, but the R&D for the stuff I'm talking about has been over and done with for at least thirty five years.

Sure, but now have a look at the infrastructure that's physically deployed. Hell in Germany (!), it took until 2020 to finally disable the old and truly horribly aged ISDN infrastructure. When it takes the third-richest nation by GDP that long to replace technology, I am not going to demand better from nations that are a few dozen places below us on the economy rankings.

> I don't see how that's the problem of "The West"? If it's actually a problem, instruct "Western" telecoms to send a couple-hundred-million dollars in last-gen equipment, along with the techs required to install it and let them declare its original purchase price and the full cost of the manpower as a tax credit.

Yeah good luck with getting that past our populations that, no matter if we're talking about the US or Europe, have been riled up by the local far-right and Russia that foreign aid is a bad thing and "national wealth should stay in the nation" (with the end result of course being that Russia has swooped in to replace our foreign aid, and that's why we see so many putsches in Africa).

> But, like, we've had satellite telecommunications for nearly sixty years, terrestrial microwave transceivers for a couple of decades longer, and short- and long-wave transceivers for far, far longer than either.

Sure! But the fact remains that it took a lot of effort to get telephones and their infrastructure deployed effectively worldwide.

> Additionally... I don't know if you've noticed, but it's not uncommon to have a satellite phone in your pocket these days.

In developed economies, sure. But in countries where the iPhone models capable of that (or an outright Starlink terminal) can cost a full year's wages? In South Sudan, the yearly corrected purchase power is about 716 $ per person and year [1].

[1] https://gfmag.com/data/economic-data/poorest-country-in-the-...

[9cb14c1ec0]

> I do not believe for even a second that Telecoms Grade switching equipment is unable to do the same

Mikrotik is a young spring chick compared to the dinosaurs in telecom.

[simoncion]

The simplest phone you can attach to any POTS line in the US is the touch-tone phone. [0] It's a microphone, speaker, ringer, switch, and a DTMF tone generator. The most complicated part of this device by far is the tone generator. The line it's attached to provides the power for all of the electronics/electromechanics inside the phone... and is also responsible for activating the phone's ringer and "knowing" the status of the "on hook" switch. The most basic phone models have no memory or logic inside them of any kind.

Given these restrictions, how does one ensure that one can activate the ringer of a single phone (and connect its speaker and mic to that of the caller, and noone else) in a world where all of the human operators were replaced by electromechanical ones, which were then replaced by fully computerized ones? Once one has figured that out, how does one ensure accurate and correct determination of the calling parties, the transit networks, and the duration of the call? One needs to recover your costs, and one uses usage-based billing to do so. [1]

In order to do those things, mightn't the system that that phone is connected to have to have all of the information about the callers, the systems the call flows through, the duration of the call, etc, etc, etc?

[0] Rotary phones are even simpler than touch-tone phones because they replace the tone generator with an elecromechanical gizmo that bangs on the line when it's rotated. Because I vaguely remember hearing that some phone networks were phasing out support for rotary phones, I'm assuming that you're not guaranteed to be able to attach one and have it function.

[1] I'll only briefly mention POTS features from ~35 years ago such as "Caller ID", "Read to me out loud the phone number of my most recent caller", and "Keep calling this number for the next half hour and ring me if they pick up", which had to (and did) work with these dumb-as-bricks phones.

[inigyou]

It is opt/in. There's three categories (according to that defcon talk): call originates from the number it says it does, call originates from our network but we're not sure about the number, and call came to us unverified (only allowed by regulation on legacy links).

Now, operators of those legacy links make A LOT of money for operating them since they carry 100% of the country's spam traffic, and they're not going to shut them down just because you think they should. The government would have to make them do it and they'll pretend upgrading is super expensive.

[coldpie]

> call originates from our network but we're not sure about the number, and call came to us unverified

I'm saying these two categories should be denied by default by my telecom provider, and the user must opt-in to receiving them.

> Now, operators of those legacy links make A LOT of money for operating them since they carry 100% of the country's spam traffic, and they're not going to shut them down just because you think they should.

Those operators are not my concern, they can do whatever they want. I want my telecom provider to block unknown/unverified calls by default. I have no reason to ever receive a call from an unverified source. Some people might, because they have business or relatives or whatever in such a region, and they can opt-in to receiving them if so.

[inigyou]

If your telecom provider stopped carrying unverified calls you'd cancel your service because you'd miss a lot of important calls. If the government required it for all calls though...

[coldpie]

> you'd miss a lot of important calls

Like what? Who is both a legitimate caller and also trying to call me through one of these unverified legacy services? If their calls stopped going through to a huge chunk of their customers (this is one of the reasons receiving unvalidated calls should be opt in, not opt out), why wouldn't they switch to a verified service?

[jrockway]

Sure, but why do I care? Let them run the legacy links. Just don't make my phone ring.

[calvinmorrison]

I am, more in tune with "just get it over with" than ever. Ipv6? 25 years of this crap? should have just said, Jan 1 2001, all routers must support 64 bit ipv4 addresses. Like the chrome HTTPS switch over, JUST DO IT

[donaldjbiden]

You mean 128 bit? That's called ipv6. It's ipv4 with 128 bit addresses.

[singpolyma3]

Just because a call is a spam call doesn't mean it is spoofed. STIR/SHAKEN ends spoofing but anyone can ultimately buy a phone and make calls that are spammy.

[ChrisMarshallNY]

Spoofing isn’t ended at all

Almost every spam call has that I get, is spoofed.

Someone here explained it, once.

I think the spoofed calls use a legacy transport tech that can’t be forced to validate.

[hobofan]

Can't that legacy transport be blocked / not-be-peered with then? That's what usually happens with old insecure tech that is being phased out.

[singpolyma3]

How do you verify it is spoofed? Have you asked your carrier to drop unverified calls from your service?

[ChrisMarshallNY]

> How do you verify it is spoofed?

Not my job to "verify," in the technical sense.

When a call for an Indian crypto pump comes in as "SMITH, ROBERT", and a local exchange, I call that "spoofed."

[sgarman]

Mine literally come from the verified coinbase phone number and say coinbase and everything. If I didn't know for sure they are not calling me I'd think it was real 100%.

[singpolyma3]

Yeah that does sound spoofed. I'd call your carrier and ask them to make sure attestation below B is blocked.

[singpolyma3]

That's almost certainly not spoofed. They just own a phone number on your local exchange.

[ChrisMarshallNY]

No they don't. I've called back, a couple of times, and got some guy named Bob, getting all confused. "Whaddaya mean I just called you?".

Hmm...you seem very interested in redirecting this train of conversation. Why?

[Zak]

Sure, but with phone numbers that can't be spoofed, telcos can terminate service, and filtering technologies can block calls. Spam gets expensive if you have to buy new service every five calls.

[singpolyma3]

It does. But the spammers still do it. Because eventually they hit one person who gives them a thousand dollars or whatever and it pays off.

[Zak]

Preventing spoofing doesn't have to make spam cost-prohibitive for every spammer to greatly reduce the volume, and it does not interfere with ordinary people obtaining phone service anonymously.

[iamnothere]

Nobody is making spam calls with cell phones. Spammers use VOIP services and old TDM systems.

[DrewADesign]

There’s SIM card banks for SMS spam… I’d be surprised if there wasn’t anything similar for calling. Not that I support this bill but it is a thing.

[rescbr]

From what I’ve investigated as a recipient of spam calls, I’ve been called from legitimate mobile numbers from my own mobile telco. The only thing that explains that are SIM card banks.

Unfortunately there isn’t an easy way to report abuse to the telcos (and regulators).

[singpolyma3]

I think most major US carriers have a short code for reporting abuse now.

[9cb14c1ec0]

STIR/SHAKEN up to this point has only been a self-certification that a telecom company has the right to use a number. What the FCC is trying to do is set up a legal obligation for the STIR/SHAKEN header to match a KYC verified identity.

If the FCC implements this, I expect a lot litigation because of the burden and legal liability this would place on telecom and VOIP companies. There are other less burdensome approaches to preventing spam that the FCC has not tried.

[HappMacDonald]

I am constantly amazed how few people understand that preventing spam is below the last thing the FCC is actually interested in.

First of all, the decision makers at the FCC profit from directly from spam, Christ.

Secondly, the indirect value of spam to the FCC is that it helps to justify initiatives to ruin the privacy of ordinary people via the constant push for KYC.

Just like "age verification", Flock cameras, license plate scanners, ubiquitous IoT with microphones and cameras, etc. Governments and corporations both profit from shredding every molecule of your privacy.

[xnyan]

The FCC issued a report on this very subject[1]. TLDR, there have been four exceptions to the SHAKEN/STIR requirements:

- Providers that can't afford it implement it - Non-IP networks - Small voice service providers that originate calls via satellite using U.S. NANP - Providers that lack control over the network infrastructure necessary to implement

Nothing is going to change as long as those holes exist.

1: https://docs.fcc.gov/public/attachments/DOC-416732A1.pdf

[9cb14c1ec0]

The can't afford it exception is disappearing soon, as it isn't true for any business. Total setup costs for STIR/SHAKEN are under $2000 these days. Providers that lack control over the network infrastructure (i.e. they don't have the ability to control the stir/shaken headers so by definition they can't spoof numbers) will likely continue to be a thing as changing it would force pretty much every small business in the VOIP industry out of business and allow only large companies to be VOIP service providers.

[swed420]

> I thought this was supposed to happen 5 years ago. Did they just chicken out on the prospect of actually shutting down telcos sending spam volume?

It would certainly hurt a consumption-based economy, for starters.

[philipallstar]

Why would that hurt a consumption-based economy?

[twodave]

Telcos make money off of scammer activity.

[colechristensen]

Maybe in the same way that Office Depot makes money on the envelopes used in mail fraud

[swed420]

It's a vector for advertising.

[philipallstar]

But that's not a consumer initiative. Advertising can come from all sorts of places that the consumer doesn't like, and in economies where advanced levels of consumer choice are limited to the state bureaucrats.

[swed420]

> But that's not a consumer initiative.

Seems irrelevant to the original point.

[philipallstar]

"consumption-based" requires consumers.