chris t (![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small} lifftchi) wrote,@ 2009-02-24 11:05:00 |
|
largely pork.
Got one of those irritating cellphone spams today, for the umpteenth time. "This is the second notice that the manufacturer warranty on your vehicle is about to expire." Particularly funny, of course, in that I don't own a car and never have.
I've seen other livejournal posts on the subject, but they center on legal remedies -- complaining at the FCC, using the federal "do not call" list, etc. I don't think that legislation is the best approach here. As Gaiman points out, the law is a blunt stick, and a very dangerous first-line treatment.
Anyway, I got to thinking about a scheme to generate and distribute one-time cellphone numbers. Basically, you'd overlay a secondary dialing system that relies on very large phone numbers to uniquely identify links between people.
(slave_to_anime suggested a much more plausible version of everything after this line, which generates random extensions. I'm seriously thinking of building the iphone app and setting up the asterisk server to make it happen. . . except that cellphone spam isn't really a big deal for me.)
As an implementation, you might get a keyspace from the phone company, which is permuted using one of the readily-available cryptographically strong hash functions (to make guessing valid numbers difficult,) use the phone itself to generate and "validate" new numbers, and distribute them via text messages. These text messages would be the totally open side channel used to exchange identifiers. If that became problematic, we could move to more radical methods.
This would have the advantage that, when a number became compromised, you could revoke it -- the UI would say "never accept calls from this number again." (It goes without saying that, until you manually generated a number from your keyspace, it would be useless.)
I'm going to transition to a Q&A format now:
What about situations where you want to distribute a number via non-electronic means, like business cards?
What about text message spam?
What if my keyspace changes, like I lose my phone and don't have backups?
What if a spammer guesses or intercepts the number that I use for one of my friends?
Couldn't you extend this to encrypting phone conversations as well, independently of the transport-level encryption done by the phone company?
Got one of those irritating cellphone spams today, for the umpteenth time. "This is the second notice that the manufacturer warranty on your vehicle is about to expire." Particularly funny, of course, in that I don't own a car and never have.
I've seen other livejournal posts on the subject, but they center on legal remedies -- complaining at the FCC, using the federal "do not call" list, etc. I don't think that legislation is the best approach here. As Gaiman points out, the law is a blunt stick, and a very dangerous first-line treatment.
Anyway, I got to thinking about a scheme to generate and distribute one-time cellphone numbers. Basically, you'd overlay a secondary dialing system that relies on very large phone numbers to uniquely identify links between people.
(
slave_to_anime suggested a much more plausible version of everything after this line, which generates random extensions. I'm seriously thinking of building the iphone app and setting up the asterisk server to make it happen. . . except that cellphone spam isn't really a big deal for me.)As an implementation, you might get a keyspace from the phone company, which is permuted using one of the readily-available cryptographically strong hash functions (to make guessing valid numbers difficult,) use the phone itself to generate and "validate" new numbers, and distribute them via text messages. These text messages would be the totally open side channel used to exchange identifiers. If that became problematic, we could move to more radical methods.
This would have the advantage that, when a number became compromised, you could revoke it -- the UI would say "never accept calls from this number again." (It goes without saying that, until you manually generated a number from your keyspace, it would be useless.)
I'm going to transition to a Q&A format now:
What about situations where you want to distribute a number via non-electronic means, like business cards?
What, your business cards don't have embedded bluetooth chips? Um. . . it's just a relatively short data blob. Use QR codes (et al.)
What about text message spam?
We assume text spam will be so much less annoying as to be not worth considering.
What if my keyspace changes, like I lose my phone and don't have backups?
Do the same thing you do today -- post a number on (social network of choice) where people can text you their contact info.
What if a spammer guesses or intercepts the number that I use for one of my friends?
Tell the phone to generate a new number and send it to him via text message. This is a UI problem -- if it takes more than two button presses, something's gone wrong. (You can tell that text messages are the glue that holds this thing together. This is because I hate talking on the phone.) Also, if it keeps on happening, consider the possibility that your friend is spamming you.
Couldn't you extend this to encrypting phone conversations as well, independently of the transport-level encryption done by the phone company?
Don't see why not. Might be expensive.
