On Wednesday, the Federal Trade Commission (FTC) announced another contest to design a system to "identify unwanted robocalls received on landlines or mobile phones, and block and forward those calls to a honeypot." The agency will select "up to five contestants" as part of what it’s calling "Robocalls: Humanity Strikes Back."
The first qualifying phase launches Wednesday and runs through June 15, 2015 at 10:00pm Eastern Time, while the final phase concludes at DEF CON 23 on August 9, 2015.
Here's the FTC contest page. There's another similar contest (with no cash prize) being held "as part of the National Day of Civic Hacking." It appears they have done something similar in previous years as well.
This discussion has been archived.
No new comments can be posted.
FTC to Award $25,000 for the Best Honeypot Design to Trap Robocalls
|
Log In/Create an Account
| Top
| 26 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: -1, Offtopic) by Anonymous Coward on Thursday March 05 2015, @11:00AM
Stealing Keys from PCs using a Radio:
Cheap Electromagnetic Attacks on Windowed Exponentiation
http://www.cs.tau.ac.il/~tromer/radioexp/ [tau.ac.il]
"Overview
We demonstrate the extraction of secret decryption keys from laptop computers, by nonintrusively measuring electromagnetic emanations for a few seconds from a distance of 50 cm. The attack can be executed using cheap and readily-available equipment: a consumer-grade radio receiver or a Software Defined Radio USB dongle. The setup is compact and can operate untethered; it can be easily concealed, e.g., inside pita bread. Common laptops, and popular implementations of RSA and ElGamal encryptions, are vulnerable to this attack, including those that implement the decryption using modern exponentiation algorithms such as sliding-window, or even its side-channel resistant variant, fixed-window (m-ary) exponentiation.
We successfully extracted keys from laptops of various models running GnuPG (popular open source encryption software, implementing the OpenPGP standard), within a few seconds. The attack sends a few carefully-crafted ciphertexts, and when these are decrypted by the target computer, they trigger the occurrence of specially-structured values inside the decryption software. These special values cause observable fluctuations in the electromagnetic field surrounding the laptop, in a way that depends on the pattern of key bits (specifically, the key-bits window in the exponentiation routine). The secret key can be deduced from these fluctuations, through signal processing and cryptanalysis."
#########################################
Cryptology ePrint Archive: Report 2015/170
http://eprint.iacr.org/2015/170 [iacr.org]
"Stealing Keys from PCs using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation
Daniel Genkin and Lev Pachmanov and Itamar Pipman and Eran Tromer
Abstract: We present new side-channel attacks on RSA and ElGamal implementations that use the popular sliding-window or fixed-window (m-ary) modular exponentiation algorithms. The attacks can extract decryption keys using a very low measurement bandwidth (a frequency band of less than 100 kHz around a carrier under 2 MHz) even when attacking multi-GHz CPUs.
We demonstrate the attacks' feasibility by extracting keys from GnuPG, in a few seconds, using a nonintrusive measurement of electromagnetic emanations from laptop computers. The measurement equipment is cheap and compact, uses readily-available components (a Software Defined Radio USB dongle or a consumer-grade radio receiver), and can operate untethered while concealed, e.g., inside pita bread.
The attacks use a few non-adaptive chosen ciphertexts, crafted so that whenever the decryption routine encounters particular bit patterns in the secret key, intermediate values occur with a special structure that causes observable fluctuations in the electromagnetic field. Through suitable signal processing and cryptanalysis, the bit patterns and eventually the whole secret key are recovered.
Category / Keywords: side channel, electromagnetic analysis, RSA, ElGamal
Date: received 27 Feb 2015, last revised 3 Mar 2015
Contact author: tromer at cs tau ac il"
#########################################
EOF
(Score: 4, Interesting) by CirclesInSand on Thursday March 05 2015, @01:45PM
Glad to hear the FCC is doing something about those robocallers. Rather than hire a team of engineers with the authority of the FTC behind them, and paying them appropriate annual salaries (a few hundred thousand a year), they will be spending $25,000 for some amateurs to create crap.
Maybe they could ... demand call information from the phone companies (which they can do anyway) and prosecute robocallers? Is that too radical?
(Score: 2) by kaszz on Thursday March 05 2015, @02:05PM
Perhaps it's all a diversion?
(Score: 5, Informative) by Thexalon on Thursday March 05 2015, @02:36PM
I've worked for a company that among other services manages to block most robocalls. It's not *that* hard of a problem to detect them, because of two characteristics of robocalls:
1. Because they aren't people, they can't handle instructions like "please press 4 now".
2. The caller audio is identical across a wide range of calls and target numbers.
So I suspect that some amateurs who really thought about it could create something decently effective, and if the government can do that for $25,000 I'd consider it money well-spent.
As to why they have a hard time tracking down and prosecuting robocallers, that's basically because robocalls are basically a more modern version of email spam, which means that all the techniques the email spammers used are in use for robocallers. They're hiding the origins of the calls (hacking into vulnerable phone systems if necessary to do that), they're fly-by-night companies that disappear as soon as anyone starts scrutinizing them, and they're taking advantage of national and state boundaries.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Interesting) by kaszz on Thursday March 05 2015, @02:57PM
Just listening into the SS7 signaling ought to reveal these spam callers. A small pool of originating numbers that calls a large pool of numbers within a short time. Just identify that source pool and block them?
The technology is there. It's just ineptitude withing telecommunication companies that hinders this from happening. But then handling lot's of calls means money so why "fix it".
(Score: 4, Insightful) by MrGuy on Thursday March 05 2015, @03:05PM
Except that this also describes outgoing call centers, which have a variety of legitimate purposes. For example, a customer service team that contacts customers with problem orders placed online would look similar (small number of outgoing numbers, large number of contacted numbers, frequent calls, many short duration calls because a lot of the time you'll get voicemail....)
Not saying it's not possible to identify "highly likely to be robocalling" by data mining, just that there's a difference between "a lot of outbound calls" and "robocalls"
(Score: 3, Interesting) by kaszz on Thursday March 05 2015, @03:15PM
Add call length to the data mining? Lack of anyone calling back etc..
(Score: 3, Informative) by Thexalon on Thursday March 05 2015, @03:32PM
It's not a small pool of originating numbers, because the robocallers spoof the originating numbers to get around the fact that there are blacklisting services out there for phone numbers.
And as a sibling poster points out, even if they didn't do that a legitimate call center (e.g. a utility customer service department) would look identical to a robocaller from the metadata-only viewpoint.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 1, Interesting) by Anonymous Coward on Thursday March 05 2015, @06:02PM
as a sibling poster points out, even if they didn't do that a legitimate call center (e.g. a utility customer service department) would look identical to a robocaller from the metadata-only viewpoint.
Furthermore, we should expect that whatever differences in meta-data there might be would be quickly emulated by the spammers. No incoming calls? Start sending in bogus incoming calls. Duration too short? Start making long bogus calls to phone numbers under control of the spammers.
These guys may be assholes, but to assume they aren't clever is just wishful thinking.
(Score: 2) by kaszz on Friday March 06 2015, @08:23AM
There's a difference in SS7 numbers and the one presented as caller-identification to the customer.
One could perhaps use voice fingerprinting used in several successive calls as well.
(Score: 2) by Joe Desertrat on Thursday March 05 2015, @08:13PM
As to why they have a hard time tracking down and prosecuting robocallers, that's basically because robocalls are basically a more modern version of email spam, which means that all the techniques the email spammers used are in use for robocallers. They're hiding the origins of the calls (hacking into vulnerable phone systems if necessary to do that), they're fly-by-night companies that disappear as soon as anyone starts scrutinizing them, and they're taking advantage of national and state boundaries.
So let the government go hard after those who are benefiting from these promotions. If someone is outsourcing promotions they they should have to put strict guidelines in the contracts so they know exactly how their promotions will be handled. The excuse that they did not know the promotions company was going to make robocalls is, well, inexcusable.
(Score: 3, Insightful) by Thexalon on Thursday March 05 2015, @08:48PM
Most robocalls aren't advertising or promotions of legitimate services, but scam artists of various kinds. The FTC has caught a few people, most notably one of the organizations responsible for "Rachel from Cardholder Services" [consumeraffairs.com].
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by NotSanguine on Friday March 06 2015, @02:52AM
Most robocalls aren't advertising or promotions of legitimate services, but scam artists of various kinds. The FTC has caught a few people, most notably one of the organizations responsible for "Rachel from Cardholder Services".
Funny that. I get calls from group(s) engaged in an identical scam just about every day.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Thursday March 05 2015, @05:13PM
A honeypot isn't a filter. It is a misdirection and surveillance system. So the FTC says: "Robocalls bad", and everybody fails to consider that what their suggesting is dual use. Isn't that how the national do not call list got started?
(Score: 0) by Anonymous Coward on Thursday March 05 2015, @06:05PM
> everybody fails to consider that what their suggesting is dual use. Isn't that how the national do not call list got started?
What, exactly, is this "dual use" for the do not call list?
(Score: 0) by Anonymous Coward on Thursday March 05 2015, @02:04PM
Like the death penalty for you and all your offspring. Also de-exempt politicians since they use robocalls too. This place will be habbitable again in no time.
(Score: 3, Informative) by kaszz on Thursday March 05 2015, @03:00PM
If politicians use robocalls, it will be allowed for an eternity..
(thanks for telling us what will block any solution)
(Score: 0) by Anonymous Coward on Thursday March 05 2015, @02:54PM
1. Why is the FTC getting into law enforcement?
2. Why is the FTC paying for technology that already exists, but isn't implemented due to trade regulation? (or weren't they aware of that, being the Federal TRADE Commission?)
3. Isn't that more of a legal problem than a technological problem, since the judiciary has no capacity for on-demand consumer requested wiretap warrants?
4. Doesn't question 3 suggest that the FTC is solving a problem that cannot be legally implemented?
5. Shouldn't the FTC document the legal scope of its actions BEFORE setting off on some NCIS inspired adventure?
How about this as a contest instead:
25k$ to the first soundbite of a Congressman captured at home from his Samsung TV posted online. Bonus points if he's watching porn.
(Score: 2) by kaszz on Friday March 06 2015, @08:32AM
Perhaps the FTC is gaming the system to beat any "donors" that would otherwise stall any attempt like this?
(Score: 3, Interesting) by richtopia on Thursday March 05 2015, @03:36PM
What would happen if phone calls were taxed something like 1c per call? To almost every user this would be a few dollars a year, but call spammers would see their margins hurt significantly.
This isn't terribly well thought out; there are perhaps "legit" mass callers out there. Charities asking for donations for example, although I despise that practice also.
(Score: 3, Funny) by redneckmother on Thursday March 05 2015, @05:57PM
Back when I had a landline, and didn't pay for incoming calls, I used telemarketers' tactics against them. The poor shmuck who calls gets paid based on making a "sale", and the longer you string 'em along, the more painful a "lost sale" will be. One poor soul spent 25 minutes on the line before he realized he was wasting time on me. It was more entertaining than watching crap TV.
Mas cerveza por favor.
(Score: 2) by M. Baranczak on Friday March 06 2015, @05:01AM
25 minutes is nothing. A friend of mine claims to have strung them along 6 hours once.
And then there's this: https://www.youtube.com/watch?v=-7OgWcwgB50 [youtube.com]
(Score: 2) by kaszz on Friday March 06 2015, @08:29AM
You need to make it so that you waste the phone spammers time and not your own in the process.
(Score: 3, Interesting) by fatuous looser on Thursday March 05 2015, @05:12PM
Gee, where is there already a gigantic honeypot up & running? The one that sucks down every little upstream photon from every corner of the globe? Lemme think. Oh, that would be the Bluffdale facility in Utah. Works great for blackmail & industrial espionage. We just LOVE it for that here in Amerika. A technological wonderment, it is.
We already know where the robocallers will be phoning to next. Right here at my house, this very evening, as one simple example. Why not fashion some robo-tracing "algorithms" for our lovely panopticon surveillance machine & document every detail of the robocalling activity with that?
We spent billions on the Bluffdale dragnet. Let's use it for something worthwhile, for a change.
(Score: 2) by urza9814 on Thursday March 05 2015, @06:43PM
Jesus man, stop giving them ideas of how to make the general public *support* their behavior!
(Score: 2) by FakeBeldin on Friday March 06 2015, @03:29PM
Feel free to donate any unexpected income (minus your payment processing fee, of course) towards the EFF, OpenBSD, or another worthy and nerdy cause of your choosing.