Next month:
December 2006

Posts from November 2006

The Register- "VoIP - open season for hackers"

(Originally posted at

As I wrote about over on Voice of VOIPSA, the Register posted an article yesterday "VoIP - open season for hackers". The article is mostly good PR by a security company promoting itself and doesn't really seem to add anything brilliantly new to what we've already known in the VoIP security field... but the fact that it's posted in the Register pretty much guarantees high visibility.

Another good reason for VOIPSA to get the Best Practices document done soon...

Technorati Tags: , , , ,

VOIPSA best practices mailing list growing fast...

(Originally posted at

Publicity helps, of course. Start talking about something and the people start signing up. Overnight the VOIPSA "best practices" mailing list has grown from 26 to 65 subscribers, with more subscription notices coming in each time I look at my email. This certainly reflects the way I distributed the word... I'm sure many people, myself included, route the VOIPSEC mailing list into a folder where they read it when they can. Or at least they read other messages before that of a "mailing list". So I expect I'll continue to see subscriptions coming in over the next couple of days.

As the mailing list administrator, I naturally receive the subscription notifications and I have to say that there are some pretty impressive people and companies among those who have subscribed. I think we now have one or more representatives of basically all of the major IP-PBX vendors, a good number of security vendors, univerisites, US government agencies, a few financial institutions (good to have, given the natural security paranoia of banks)... plus a whole host of people that are using various Gmail, Yahoomail, etc. addresses that give nothing away about their identity. (I would expect nothing less from a group of security professionals! :-) Good number of folks participating from companies around the world. Knowing the caliber of some of the people who have signed up thus far, I'll admit that it could be a bit intimidating.... luckily, for better or worse, I've never been accused of a lack of self-confidence. :-)

A lack of time is a different issue, though, but it looks like things are okay to the point where I can spend the afternoon putting the last pieces together in the wiki to be able to start a discussion tomorrow. We'll see...

Technorati Tags: , , , , ,

VOIPSA "VoIP Security Best Practices" project to launch this week

(Originally posted to

Cross-posting from Voice of VOIPSA where I posted this earlier today:
I am pleased to announce that the VOIPSA Best Practices project will be kicking off this week. As noted in the project description, the goal is to gather into one document the core set of "best common practices" that can be used to address the threats to VoIP that were outlined in the VoIP Security Threat Taxonomy project. I'm still making some changes to the wiki in advance of the formal project kickoff, but right now you can subscribe to the best practices email list if you would like to assist in the project. All are welcome, regardless of experience level. If you don't want to join a mailing list, updates will be posted here on this blog from time to time.
I went into a bit more detail in a subsequent post to the VOIPSEC mailing list, mentioning, for instance, that people who think they will be interested in editing/commenting on the actual text should make sure they are registered in the VOIPSA wiki.

I'm excited to get the project underway... I've been trying to get it launched for the last month or so, but between travel and RFP deadlines, the time has never seemed to be right. It's still not right, as I have to finish a couple of RFP contributions and then I'm off to London next week, but the project has to begin *sometime*. As I expected, I'm already seeing a good number of folks subscribing.. probably up around 50 and the news is just going out now, so I'll expect to see more in the next day or so.

My goal is to finish up some of the back-end wiki things tomorrow and then launch on Thursday.

If you are interested in contributing, please do follow the links and join the mailing list.

Technorati Tags: , , , ,

The intersection of VoIP and grocery stores? In Peru?

(Originally posted at

Progressive Grocer doesn't immediately leap to my mind as a place that would be writing about VoIP, but here they were writing about Peru's Number 2 supermarket chain deploying VoIP. On second thought, though, it makes sense that "progressive" food retailers would look at VoIP as a way to enhance/improve their operations. In any event, kudos to Mitel's partner in Peru, Data Voice, as well as our South American team, for winning the business. Our press release has more information (obviously from a Mitel perspective).

Technorati Tags: ,

Hosted VoIP application provider Natural Convergence announces $10M in funding

(Originally posted at

Kudos to David Cork and his team over at Natural Convergence Inc(NCI) for their announcement of $10 million USD in funding. Given that they are a sister company[1], I've met a good number of their folks over the years and have been quite impressed with both their staff and their technology.[2]

Their approach to the SMB space is a very interesting one in that the application they provide allows service providers to have an offering that allows small businesses to replace their aging key systems with new VoIP systems... without having to take on the administration of an IP PBX. The SMB gets the advantages of VoIP, such as new apps or being able to have an extension basically anywhere in the world that there is an IP address (from the simple case of the owners' homes to cases like remote office or workers), without having to invest in any on-premise equipment or having to manage the software. So a service provider that wants to roll out a VoIP offering to small businesses can just buy the NCI solution and start rolling it out.

Congrats to the whole team on landing the funding - I look forward to seeing how they will grow! [3]

P.S. Tip of the hat to Jon Arnold for blogging about this. In getting caught up on post-holiday reading, I learned of the funding there.

[1] Full disclosure: NCI is, like my employer Mitel, a member of the Wesley Clover group of companies and Mitel partners with NCI in some areas.

[2] They also had (and may still have) a very cool office in an old movie theater building in Ottawa and kept one of the movie theatres intact for demos and presentations. (Nope... they moved to a different office some time ago.)

[3] And I'll save a debate on the merits of "on-premise" versus "hosted" VoIP for another day... suffice it to see I see value in both and recognize that different customers require different solutions.

Technorati Tags: , , ,

Click-to-Call, Google Maps, security - and the fundamental disruption to the carrier telephony space

Over on "Voice of VOIPSA", Dustin Trammel wrote a long post called "Click-to-Harrass" that discusses "click-to-call" services and specifically the new Google Maps click to call capability. I wrote a comment that inadvertantly wound up being almost as long as Dustin's article. Given that it had been a topic I was thinking about writing about here anyway, I decided to cross-post my comment here as well.


Nice piece. TechCrunch also had a post yesterday speculating that Google had pulled Click-To-Call because of harrassment issues, although it seems to have just been a temporary service outage as the service is back running today (used it myself this morning).

The interesting thing, though, is that you can see the immense value to the consumer for this type of service. Over the past few days I've been testing it myself with calling various local businesses here in Vermont. I have to say it has worked great. Find them in Google Maps, click the "call" button, wait for the ring of my phone, press the "Talk" button on my wireless handset and... ta da... I'm connecting to the business. It is a little strange for other people in the house (i.e. my wife) to hear the phone ring once before I pick up, but outside of that, it works fine. From a consumer point of view, it's a wonderfully easy way to find businesses and connect. Why should I remember my dentist's number when I can just find them in Google Maps and click "call"? Simple. Easy. Convenient.

Interestingly, the Caller ID that I see is that of the business I am calling, so I'm not entirely sure how that is all working. You are right, though, that this does raise serious issues around the accuracy of call records. I'll have to look at my next phone statement and see how (or if) these calls are recorded.

From a security point-of-view, too, it's not entirely clear to me personally where all these calls are going. Presumably Google is using some VoIP Service Provider (some posts have indicated it is VoIP, Inc., in Florida) who is initiating the calls to myself and the other business. How long is my call actually in "VoIP" versus the traditional PSTN? What IP networks does it traverse? What is the window of exposure for interruption or interception? All good questions without ready answers (at least that I can see).

What is interesting to consider, also, is how fundamentally disruptive this and other similar services are to the traditional carrier market. Why should I pay Verizon (my carrier here in VT) anything beyond the very, very basic service if I can use these services for my connections? Given that the model today here in the US is that incoming calls are free, what is my incentive to go beyond the very basic plan? Suddenly instead of paying $50 or $70/month for an unlimited NA calling plan, I'm paying $15/month for rudimentary service. Just use a click-to-call service... especially a free one from Google, and you're set. Now, granted, I need to use some other service for calling residences, since Google is only businesses, but still, the point is that these services have to be giving carrier execs severe cases of agita.

It will also be curious to see the effect this Google effort has on JaJah and friends, where Google is making it free. Given that JaJah's business model seems to be around charging people for calls longer than 5 minutes, a move like this has got to be a threat to that model. On the other hand, they may be wagering on the "stickiness" of customers... once they have started using Jajah, they'll stick with it. However, customers are fickle and we've seen time and time again that free beats everything else (witness Skype's growth).

What I am not entirely clear on is the business model for Google. Obviously this service can drive people to use Google Maps, but okay... so what? As of this moment, there is no blatant advertising on any of the queries I've done. Now this may just be that no one has sponsored any links relevant to my very local queries. I note that when I did a query on "map store, boston, ma", I got sponsored links above and below my search results. So maybe that is it... which seems kind of weak to me personally. If I'm looking up a business, for me odds are pretty certain that I'm going to call that business. But maybe that's just me. Maybe enough other people are clicking on the sponsored links that giving away calling minutes is an effective loss leader to bring people to the site. I'm sure Google being the behemoth that they are they can get very aggressive pricing, so all the collective minutes may just be noise in their balance sheet.

Anyway, it's fascinating to watch all of these services evolve, and yes, as you indicate, there are serious security issues that do need to be addressed. We shall see how this all shakes out.

Thanks for writing this post,

Technorati Tags: , , , , , , ,