Got Robocalled? Don’t Get Mad; Get Busy.


Several times a week my cell phone receives the telephonic equivalent of spam: A robocall. On each occasion the call seems to come from a local number, but when I answer there is that telltale pause followed by an automated voice pitching some product or service. So when I heard from a reader who chose to hang on the line and see where one of these robocalls led him, I decided to dig deeper. This is the story of that investigation. Hopefully, it will inspire readers to do their own digging and help bury this annoying and intrusive practice.

The reader — Cedric (he asked to keep his last name out of this story) had grown increasingly aggravated with the calls as well, until one day he opted to play along by telling a white lie to the automated voice response system that called him: Yes, he said, yes he definitely was interested in credit repair services.

“I lied about my name and played like I needed credit repair to buy a home,” Cedric said. “I eventually wound up speaking with a representative at”

The number that called Cedric — 314-754-0123 — was not in service when Cedric tried it back, suggesting it had been spoofed to make it look like it was coming from his local area. However, pivoting off of opened up some useful avenues of investigation.

Creditfix is hosted on a server at the Internet address According to records maintained by Farsight Security — a company that tracks which Internet addresses correspond to which domain names — that server hosts or recently hosted dozens of other Web sites (the full list is here).

Most of these domains appear tied to various credit repair services owned or run by a guy named Michael LaSalla and registered to a mail drop in Las Vegas. Looking closer at who owns the address, we find it is registered to System Admin, LLC, a Florida company that lists LaSalla as a manager, according to a lookup at the Florida Secretary of State’s office.

An Internet search for the company’s address turns up a filing by System Admin LLC with the U.S. Federal Communications Commission (FCC). That filing shows that the CEO of System Admin is Martin Toha, an entrepreneur probably best known for founding, a voice-over-IP (VOIP) service that allows customers to make telephone calls over the Internet.

Emails to the contact address at elicited a response from a Sean in Creditfix’s compliance department. Sean told KrebsOnSecurity that mine was the second complaint his company had received about robocalls. Sean said he was convinced that his employer was scammed by a lead generation company that is using robocalls to quickly and illegally gin up referrals, which generate commissions for the lead generation firm.

Creditfix said the robocall leads it received appear to have been referred by Little Brook Media, a marketing firm in New York City. Little Brook Media did not respond to multiple requests for comment.

Robocalls are permitted for political candidates, but beyond that if the recording is a sales message and you haven’t given your written permission to get calls from the company on the other end, the call is illegal. According to the Federal Trade Commission (FTC), companies are using auto-dialers to send out thousands of phone calls every minute for an incredibly low cost.

“The companies that use this technology don’t bother to screen for numbers on the national Do Not Call Registry,” the FTC notes in an advisory on its site. “If a company doesn’t care about obeying the law, you can be sure they’re trying to scam you.”

Mr. Toha confirmed that Creditfix was one of his clients, but said none of his clients want leads from robocalls for that very reason. Toha said the problem is that many companies buy marketing leads but don’t always know where those leads come from or how they are procured.

“A lot of times clients don’t know the companies that the ad agency or marketing agency works with,” Toha said. “You submit yourself as a publisher to a network of publishers, and what they do is provide calls to marketers.”

Robby Birnbaum is a debt relief attorney in Florida and president of the National Association of Credit Services Organizations. Birnbaum said no company wants to buy leads from robocalls, and that marketers who fabricate leads this way are not in business for long.

But he said those that end up buying leads from robocall marketers are often smaller mom-and-pop debt relief shops, and that these companies soon find themselves being sued by what Birnbaum called “frequent filers,” lawyers who make a living suing companies for violating laws against robocalls.

“It’s been a problem in this industry for a while, but robocalls affect every single business that wants to reach consumers,” Birnbaum said. He noted that the best practice is for companies to require lead generators to append to each customer file information about how and from where the lead was generated.

“A lot of these lead companies will not provide that, and when my clients insist on it, those companies have plenty of other customers who will buy those leads,” Birnbaum said. “The phone companies can block many of these robocalls, but they don’t.”

That may be about to change. The FCC recently approved new rules that would let phone companies block robocallers from using numbers they aren’t supposed to be using.

“If a robocaller decides to spoof another phone number — making it appear that they’re calling from a different line to hide their identity — phone providers would be able to block them if they use a number that clearly can’t exist because it hasn’t been assigned or that an existing subscriber has asked not to have spoofed,” reads a story at The Verge.

The FCC estimates that there are more than 2.4 billion robocalls made every month, or roughly seven calls per person per month. The FTC received nearly 3.5 million robocall complaints in fiscal year 2016, an increase of 60 from the year prior.

The newest trend in robocalls is the “ringless voicemail,” in which the marketing pitch lands directly in your voicemail inbox without ringing the phone. The FCC also is considering new rules to prohibit ringless voicemails.

Readers may be able to avoid some marketing calls by registering their mobile number with the Do Not Call registry, but the list appears to do little to deter robocallers. If and when you do receive robocalls, consider reporting them to the FTC.

Some wireless providers now offer additional services and features to help block automated calls. For example, AT&T offers wireless customers its free Call Protect app, which screens incoming calls and flags those that are likely spam calls. See the FCC’s robocall resource page for links to resources at your mobile provider.

In addition, there are number of third-party mobile apps designed to block spammy calls, such as Nomorobo and TrueCaller.

Read more here:: KrebsOnSecurity

UK ISP Kijoma Broadband Begins Major 78Mbps+ Wireless Network Upgrade

kijoma uk wireless broadband isp

Fixed wireless ISP Kijoma Broadband, which serves parts of West Sussex, Portsmouth, the Isle of White, Hampshire, Staffordshire, Derbyshire and Surrey, has informed that they’ve begun to deploy a major upgrade on their network that will boost capacity and service speeds. At present the the provider’s top ‘Home Standard‘ package for domestic use offers […]

Read more here:: ISPreview

Converge your network with priority flow control (PFC)

Priority Flow Control

Back in April, we talked about a feature called Explicit Congestion Notification (ECN). We discussed how ECN is an end-to-end method used to converge networks and save money. Priority flow control (PFC) is a different way to accomplish the same goal. Since PFC supports lossless or near lossless Ethernet, you can run applications, like RDMA, over Converged Ethernet (RoCE or RoCEv2) over your current data center infrastructure. Since RoCE runs directly over Ethernet, a different method than ECN must be used to control congestion. In this post, we’ll concentrate on the Layer 2 solution for RoCE — PFC, and how it can help you optimize your network.

What is priority flow control?

Certain data center applications can tolerate only little or no loss. However, traditional Ethernet is connectionless and allows traffic loss; it relies on the upper layer protocols to re-send or provide flow control when necessary. To allow flow control for Ethernet frames, 802.3X was developed to provide flow control on the Ethernet layer. 802.3X defines a standard to send an Ethernet PAUSE frame upstream when congestion is experienced, telling the sender to “stop sending” for a few moments. The PAUSE frame stops traffic BEFORE the buffer overflows, thereby avoiding having to drop traffic.

While this is useful, the 802.3X PAUSE frame pauses ALL frames, which can include control plane and other high priority traffic. This could result in a loss of BGP or OSPF neighbors for example. This is where PFC comes in. PFC allows you to configure the switch to send PAUSE frames for only specific traffic classes, identified by either 802.1p bits or DSCP bits, leaving others that are not causing the congestion to continue sending.

Let’s use the below diagram as an example. In this case, let’s say on all switches we have configured a mapping from DSCP 0 to traffic-class cos 0, and DSCP 46 to traffic-class cos 5. Frame1 arrives destined for the ingress port buffer in traffic class cos0. Since that buffer is congested, Switch1 will send a PAUSE frame back to the upstream switch, but pausing only the frames destined for the port buffer associated with traffic class cos 0 (i.e. those marked with DSCP 0). Along with the PAUSE frame, a quanta is sent stating “Pause this traffic class for only this specific amount of time”. Meanwhile, frame1 and all frames received by Switch1 will be forwarded to its intended destination. All traffic destined for traffic class cos5 will continue to flow normally.

When either the quanta time is up, or the congestion on the local switch is alleviated and Switch1 notifies the upstream switch with another PAUSE frame with zero quanta, traffic starts flowing normally again.

The notifications (ie. PAUSE frames) happen hop by hop to accommodate layer 2. This means the upstream switch’s buffer may also become congested as it’s pausing, so then the upstream switch may send a PAUSE frame to its upstream switch and so on until the congestion is alleviated on that specific traffic class.

Priority Flow Control

How does this help RoCE?

To reiterate, priority flow control (PFC) makes Ethernet networking accessible for even more applications, even those sensitive to loss. Customers like PFC (and other technologies like ECN) because it allows them to converge their networks into one, reducing cost and adding simplicity.

For example, in the past, Infiniband applications often required a separate Infiniband network to provide lossless or near lossless connectivity. Customers using these applications worried about converging RoCE networks with Ethernet because of potential traffic loss. RoCE allows the Infiniband global route header to run directly on top of Ethernet, thus converging two historically separate networks, but it requires nearly lossless data transfer. PFC is used to provide the near lossless data transfer requirement since RoCE operates on the Link Layer only.

How do you deploy priority flow control?

Ready to converge your network using PFC? Great! It’s coming soon to NCLU (stay tuned!). If you’d like to get started now, you can configure the technology using traditional Linux. Don’t worry, it’s pretty straightforward. Check out the user guide here. You’ll find that only one file (/etc/cumulus/datapath/traffic.conf) needs to be edited and one process (switchd) restarted to get moving. If you would like to learn more about configuring using Linux, we recommend a Cumulus Networks bootcamp for personalized training.

If you have any questions, simply contact your account representative.

The post Converge your network with priority flow control (PFC) appeared first on Cumulus Networks Blog.

Read more here:: Cumulus Networks

[Sarcasm Alert] New (In)dependent tester awards CIA-graded certification

Selecting the right security solution to protect your devices isn’t always an easy decision to make – whether you’re a consumer or a larger organization. Luckily, there are many independent testing laboratories who do their job at testing security products well, so end customers have a way to compare and select a solution that suits their needs best. It’s not often we see a new kid (tester) on the block.

Read more here:: Avast

What is intent-based networking?

Read more here:: IT news – Networking

FBI: Extortion, CEO Fraud Among Top Online Fraud Complaints in 2016

Source: Internet Crime Complaint Center (IC3).

Online extortion, tech support scams and phishing attacks that spoof the boss were among the most costly cyber scams reported by consumers and businesses last year, according to new figures from the FBI’s Internet Crime Complaint Center (IC3).

The IC3 report released Thursday correctly identifies some of the most prevalent and insidious forms of cybercrimes today, but the total financial losses tied to each crime type also underscore how infrequently victims actually report such crimes to law enforcement.

Source: Internet Crime Complaint Center (IC3).

For example, the IC3 said it received 17,146 extortion-related complaints, with an adjusted financial loss totaling just over $15 million. In that category, the report identified 2,673 complaints identified as ransomware — malicious software that scrambles a victim’s most important files and holds them hostage unless and until the victim pays a ransom (usually in a virtual currency like Bitcoin).

According to the IC3, the losses associated with those ransomware complaints totaled slightly more than $2.4 million. Writing for — a tech support forum I’ve long recommended that helps countless ransomware victims — Catalin Cimpanu observes that the FBI’s ransomware numbers “are ridiculously small compared to what happens in the real world, where ransomware is one of today’s most prevalent cyber-threats.”

“The only explanation is that people are paying ransoms, restoring from backups, or reinstalling PCs without filing a complaint with authorities,” Cimpanu writes.

It’s difficult to know how what percentage of ransomware victims paid the ransom or were able to restore from backups, but one thing is for sure: Relatively few victims are reporting cyber fraud to federal investigators.

The report notes that only an estimated 15 percent of the nation’s fraud victims report their crimes to law enforcement. For 2016, 298,728 complaints were received, with a total victim loss of $1.33 billion.

If that 15 percent estimate is close to accurate, that means the real cost of cyber fraud for Americans last year was probably closer to $9 billion, and the losses from ransomware attacks upwards of $16 million.

The IC3 reports that last year it received slightly more than 12,000 complaints about CEO fraud attacks — e-mail scams in which the attacker spoofs the boss and tricks an employee at the organization into wiring funds to the fraudster. The fraud-fighting agency said losses from CEO fraud (also known as the “business email compromise” or BEC scam) totaled more than $360 million.

Applying that same 15 percent rule, that brings the likely actual losses from CEO fraud schemes to around $2.4 billion last year.

Some 10,850 businesses and consumers reported being targeted by tech support scams last year, with the total reported loss at around $7.8 million. Perhaps unsurprisingly, the IC3 report observed that victims in older age groups reported the highest losses.

Many other, more established types of Internet crimes — such as romance scams and advanced fee fraud — earned top rankings in the report. Check out the full report here (PDF). The FBI urges all victims of computer crimes to report the incidents at The IC3 unit is part of the FBI’s Cyber Operations Section, and it uses the reports to compile and refer cases for investigation and prosecution.

Source: IC3

Source: IC3

Read more here:: KrebsOnSecurity

Project Jengo: Explaining Challenges to Patent Validity (and a looming threat)

Project Jengo: Explaining Challenges to Patent Validity (and a looming threat)

We’ve written a couple times about the problem of patent trolls, and what we are doing in response to the first case a troll filed against Cloudflare. We set a goal to find prior art on all 38 Blackbird Tech patents and applications and then obtain a legal determination that Blackbird Tech’s patents are invalid. Such a determination will end Blackbird’s ability to file or threaten to file abusive patent claims, against us or anyone else.

Project Jengo: Explaining Challenges to Patent Validity (and a looming threat)CC BY-SA 2.0 image by hyku

The patent system exists to reward inventors, so it is no surprise that a patent has to claim something new — an “invention.” Sometimes the United States Patent and Trademark Office (USPTO) — the agency that administers the patent system — mistakenly issues patents that do not claim anything particularly new. The patent examiner may not be aware that the proposed “invention” was already in use in the industry, and the patent applicant (the only party in the process) doesn’t have an incentive to share that information. Often, the USPTO issues patents that are too vague and can later be broadly interpreted by patent owners to cover different and subsequent technologies that could not otherwise have been patented in the first place and couldn’t have been anticipated by the patent examiner.

Bad patents are bad for innovation, so how do we get rid of them?

The first step to invalidating the Blackbird Tech patents is to collect prior art on the patents. Prior art can include almost any type of evidence showing that the “invention” described in a patent already existed when the patent was filed. Common types of prior art include earlier-filed patents, journal articles, and commercial products (e.g., computer programs) that predate the challenged patent.

Prior art can be used to challenge the validity of the patent in several ways. First, we can challenge the validity of the patent asserted against us (the ‘335 patent) in the patent infringement case that Blackbird Tech filed against us. We can also challenge any of Blackbird’s patent in proceedings at the USPTO, through either a petition for inter partes review (IPR) or ex parte reexamination.

In this blog post, we walk through the administrative challenges to patents at the USPTO, especially the IPR, which we consider to be one of the most effective ways to shield ourselves and others from patent troll attacks on innovation.

No gridlock here: Congress agrees that bad patents must go

The IPR process was created by Congress in 2011 through the America Invents Act with overwhelming bipartisan support, passing the House by a vote of 304 to 117 and the Senate 89 to 9, and was signed by President Obama on September 16, 2011. The law was based on a growing awareness that it had become too easy to obtain low quality patents and too hard to challenge them in expensive and long court proceedings. As technologies continued to grow and develop, the patent system became inundated with bad patents issued during the dot-com era, many of which included vague claims relating to rudimentary web technologies. Over a decade later, these claims were being applied out of context and asserted broadly to shake down innovative companies using vastly more sophisticated technologies.

While few of the patents used in these shake-downs would have survived an invalidity challenge in front of a judge, the prohibitively high cost and delay of litigation meant that the vast majority of patent infringement claims settled outside of court for nuisance value. Defending a patent lawsuit in federal court costs millions of dollars (regardless of whether you ultimately have to pay a Plaintiff) and can take 2-3 years to resolve. As a result, courts rarely had an opportunity to invalidate bad patents. The patents lived on, and the nefarious cycle continued.

Seeking to break the cycle of misuse, Congress stepped in and created IPR to provide a streamlined process for invalidating bad patents. IPR is an administrative proceeding conducted by the USPTO itself, rather than a federal court. IPR proceedings have a limited scope and harness the USPTO’s special expertise in resolving questions of patent validity. As a result, a typical IPR proceeding can be completed in about half the time and at one tenth of the cost of a federal court case.

To date, over 6,000 IPR petitions have been filed, of which over 1,600 have resulted in written decisions by the USPTO. Many other cases either settled or remain pending. IPR petitioners have had a high rate of success. Of the 1,600 cases that reached a written decision, 1,300 of those cases were successful in having the USPTO invalidate at least one claim, and 1,000 were successful in having the entire patent invalidated.

Looking under the hood of an IPR

To initiate an IPR, the party challenging the patent files a petition with the USPTO identifying the patents, explaining why the patents should be found invalid, and presenting the relevant prior art. The owner of the challenged patent has an opportunity file a written response to the petition.

Project Jengo: Explaining Challenges to Patent Validity (and a looming threat)Image by Katherine Tompkins

The USPTO actually makes two major decisions during an IPR. The first is a threshold determination of whether to institute the IPR at all. The USPTO will institute an IPR if the petition (combined with the patent owner’s response, if one was filed) establishes a “reasonable likelihood that the petitioner will prevail” in invalidating one or more claims. One unusual feature of the IPR process is that the USPTO’s institution decision cannot be appealed. Both parties must live with whatever institution decision the USPTO makes. Since 2015, the USPTO has instituted about two thirds of all IPR petitions.

After an IPR is instituted, both sides have an opportunity to gather evidence, file motions, and present arguments. The USPTO then issues a final written decision on the validity of the patent. Unlike the institution decision, the final written decision of an IPR is appealable to the Federal Circuit Court of Appeals (a specialized appeals court that, among other things, hears appeals in most cases that involve patents). The time between the institution decision and the final written decision should not exceed a year, making IPR exceptionally compact compared to most full court proceedings.

In addition to speed, the legal standards that the USPTO applies in IPR proceedings are more favorable to the patent challenger than those applied in federal court:

  • The burden of proof for invalidating a patent in an IPR is lower than in federal court. The petitioner in an IPR proceeding must meet the “preponderance of the evidence” standard. This is the same standard of proof that applies in the vast majority of civil (non-criminal) cases. Simply put, whichever side has more convincing evidence wins. By contrast, a party raising an invalidity challenge in federal court must meet a higher “clear and convincing evidence” standard to prove that the patent is invalid.

  • The “strike zone” for prior art is bigger in an IPR than in federal court. The USPTO interprets challenged patents broadly — using the “broadest reasonable interpretation” standard — making it relatively easy to find prior art that falls within the scope of the patent. This makes sense as patent trolls often take the broadest possible interpretation of their patents when they decide whom to sue, thereby creating pressure for those parties to settle. Federal courts, on the other hand, interpret the challenged patent more narrowly, through the eyes of a hypothetical “person of ordinary skill in the art” (POSITA). A POSITA is someone who has experience in the technological field of the patent and can use technical context to narrow the scope of the patent. This narrower scope makes it harder to find prior art that falls within the scope of the patent.

  • Although the legal standards in an IPR proceeding tend to favor the challenger, other aspects of IPR proceedings can favor the patent owners. For example, unlike federal courts, IPR proceedings provide an opportunity for patent owners to amend their claims to circumvent the challenger’s prior art.

Ex parte reexamination forces abusive patent owners to defend their patents

For all of the built-in efficiencies of the IPR process, an IPR still closely resembles a traditional court case in many important respects. For example, an IPR generally requires a petitioner to undertake a full slate of heavy-duty legal tasks, like writing briefs, filing motions, and making oral arguments. As a result, even though going through an IPR process is far less painful and expensive than being dragged through the federal courts, it still involves significant legal fees and demands a high level of attention that could otherwise be spent innovating.

Enter ex parte reexamination, which strips down the process for challenging patent validity even further. In ex parte reexamination, the party challenging the patent files a petition with the USPTO in much the same manner as an IPR. However, once the petition is filed, the petitioner steps out of the picture entirely. Instead, the USPTO reassesses the validity of the challenged patent by engaging in a semi-collaborative back-and-forth between the USPTO and the patent owner, without the challenger’s continued involvement. This back-and-forth is virtually identical to the original examination process between the USPTO and applicant that led to the patent being issued in the first place.

Like an IPR petition, the petition for ex parte reexamination has to cast sufficient doubt on the validity of the patent before the USPTO will order an ex parte reexamination. In this case, the legal standard that the USPTO uses is whether the petition establishes a “substantial new question of patentability.” To date, over 90% of petitions for ex parte reexamination have been granted.

With a relatively low up-front investment and no continuing costs incurred by the petitioner, an ex parte reexamination has the advantage of forcing patent owners back to the USPTO to defend their patents or risk invalidation. And more often than not, the patent owner in an ex parte reexamination will end up making significant concessions along the way — amendments that narrow the scope of a patent. To date, 67% of ex parte reexaminations have resulted in at least an amendment to the patent, and another 12% have been successful in having an entire patent invalidated. These concessions, even seemingly minor ones, can successfully thwart a dubious claim of patent infringement and severely limit the owner’s ability to pursue future claims of infringement.

USPTO review of patent validity (IPR and ex parte) faces an uncertain future

In a surprise decision last week, the U.S. Supreme Court announced that it has decided to hear the case of Oil States vs. Greene’s Energy Group, et al. The key questions that the Court will decide is whether or not the IPR process is constitutional. The stakes are significant: if the Supreme Court finds IPR unconstitutional, then the entire system of administrative review by the USPTO — including IPR and ex parte — will be abandoned.

Oil States had a patent related to — you guessed it — oil drilling technology invalidated in an IPR proceeding and subsequently lost an appeal in a lower federal court. It has asked the Supreme Court to hear the case because it feels that once the USPTO issues a patent, an inventor has a constitutionally protected property right that — under Article III of the U.S. Constitution (which outlines the powers of the judicial branch of the government), and the 7th Amendment (which addresses the right to a jury trial in certain types of cases) — cannot be revoked without judicial intervention.

Project Jengo: Explaining Challenges to Patent Validity (and a looming threat)Image by Eric Kounce

It’s important to understand what it means for the Supreme Court to agree to hear a case — or as lawyers would insist: grant a writ of certiorari. The Supreme Court only hears the case it wants to in order to resolve issues of sufficient importance or disagreement. Over the past several years, the Court has only agreed to hear about 1% of the cases submitted to it. Four Justices have to vote in favor before a writ of certiorari is granted. Grants are almost always made where there is disagreement among the federal appellate courts or on issues taken from the front page.

Oil States is not the first case to make its arguments against the IPR system, but it is the first that the Supreme Court has agreed to hear. Notably, lower courts have repeatedly rejected the stance taken by the petitioner in Oil States. This is more problematic than it seems because if the Supreme Court was comfortable with the status quo, there would be no reason for them to hear the case. The decision to hear the case suggests that at least the four justices who voted to grant the writ of certiorari are considering going in another direction (though perhaps predicting the Supreme Court’s views is better left to science).

A quick fix of the patent system is better than no fix at all

Because Congressional action creating the IPR was a prudent and resoundingly popular action to blunt abuses of the patent system, there are several concerning aspects of a potential invalidation of the IPR system by the Supreme Court. The patent troll system is based on the idea that American companies would rather pay billions of dollars to resolve meritless claims of infringement than suffer the delay and expense of pursuing those claims in federal court.

In response, members of Congress set up a better–though still not perfect–system for having these disputes resolved. The court system should have taken steps to improve its own processes to make them less susceptible to being used to distort the ability to have legitimate disputes resolved. Instead, a decision by the Court to invalidate the IPR process would be the equivalent of the Court failing to clean up its own mess and then prohibiting anyone else from doing so.

And it seems a bit incongruous that rights granted through a system created by statute which gave decision making authority to a patent examiner at the USPTO—the patent system—cannot be modified or altered through a system created by a subsequent statute and using the benefit of actual experience. USPTO reviewers grant patent rights, so why are other USPTO reviewers prohibited from changing that designation?

Getting ourselves into the game

Project Jengo: Explaining Challenges to Patent Validity (and a looming threat)CC BY-SA 2.0 image by meanie

We will be closely monitoring developments in Oil States and expect that we will contribute to an Amicus (or “friend of the court”) brief making sure the justices are aware of our position on this issue. Our hope is that the justices voting to grant the writ of certiorari were only considering the implications on the parties to that case (neither of which is an NPE), and not fully considering the larger community of innovative companies that are helped by the IPR system.

While we await a decision in Oil States, expect to see Cloudflare initiate IPR and ex parte proceedings against Blackbird Tech patents in the coming months. In the meantime, you can continue to support our efforts by searching for prior art on the Blackbird Tech patents, and you can engage in the political process by supporting efforts to improve the patent litigation process.

Read more here:: CloudFlare