Disruptive Telephony

Over on the Voice of VOIPSA weblog, I have been tracking a security issue in the iSkoot program that was transmitting your Skype username and password in the clear. The post, its comments, and the corresponding links off of it make for some interesting reading.

It also shows the speed at which the blogosphere can react and potentially help sort things out. In the space of about 48 hours, a problem was found, confirmed, identified by the vendor and apparently will be fixed shortly. I'll be writing more about this later today over on the Voice of VOIPSA weblog, but for now I'll just say that it's great to see that the problem is being dealt with.

Technorati Tags: voip, voip security, voipsecurity, security, skype, iskoot, symbian, phoneboy

I was rather surprised but pleased to see that my "Black Back Security Review" was on the list of the "Top Ten IT Conversations Shows for March 2008". My "surprise" was mostly because that particular talk is over a year old and was given at the ETel 2007 show back at the end of February 2007.

To be honest, I was not actually aware (or didn't remember, anyway) that the IT Conversations Network had distributed my talk but I'm guessing they did so with a number of the ETel sessions.

Unfortunately, they don't include the slides, which I put up in the Blue Box posting and also just generally made available on SlideShare. Without the slides, I suppose it works perfectly fine.. I've just never listened to it that way. It was still one of the most fun presentations I've ever given. Also took a ton of time to prepare. 243 slides in 14 minutes... :-) (I did write up some notes about the presentation and the style, etc.)

Anyway, it's cool to see people discovering that session again. Nice surprise!

Technorati Tags: voip, voip security, dan york, etel

I'm down in Orlando this week for VoiceCon Orlando and will be part of three sessions. Tomorrow, I'm moderating a panel at 8am on VoIP security and on Thursday I'm moderating a panel on open source telephony. On Wednesday, I'll be part of a keynote panel with Irwin Lazar on "Social networking and enterprise communication", which should be quite fun. I'll include below the full descriptions of the various sessions. If you are attending VoiceCon and want to connect, please do contact me.

---

Session Title: Top VOIP Security Threats
Date: 3/18/2008
Time: 8:00 AM
Room: Osceola B
Session Description: There's been a lot of concern about voice over IP security, but have there been many actual exploits? This session will inform you about the state of VOIP security. You'll learn about generalized IP attacks that have affected IP telephony systems deployed on IP networks, and you'll also find out what VOIP-specific attacks have actually been observed "in the wild"--and what to expect in the future.
KEY QUESTIONS: * What are the most serious voice-oriented attacks that are actually being carried out? What potential attacks haven't occurred yet but probably will before long? * How do you protect your VOIP systems against these attacks? * What types of equipment and technologies must you implement to stop voice-oriented attacks? * What specific kinds of damage can these attacks cause?
Moderator(s): Dan York - Dir of Emerging Comm Tech - Voxeo
Panelist(s): Sachin Joglekar - Vulnerability Research Lead - Sipera Systems
David Endler - Director of Security Research - TippingPoint
Mark Collier - CTO - SecureLogix

---

Session Title: Open Source for Enterprise Voice: How Much, How Soon?
Date: 3/20/2008
Time: 11:45 AM
Room: Sun C
Session Description: Open source PBXs are gaining a higher profile: Asterisk and other open-source PBX software packages continue to gain acceptance, and some traditional PBX vendors have implemented open source code for their products. But these efforts still aim mainly at smaller implementations. In this session, you'll learn why open source PBX software has growing appeal, and whether it will appeal to larger customers as the market progresses.
KEY QUESTIONS: * What level of market share and acceptance has open source PBX software attained? What is expected? * Which products use open source PBX software? * What are the most compelling reasons for choosing open source PBX software? What are the greatest areas of concern in making this choice? * What are the technical challenges of an open-source PBX deployment, and how are these overcome? * What are some real-world customer experiences with open source PBX software?
Moderator(s): Dan York - Dir of Emerging Comm Tech - Voxeo
Speaker(s): M Raza - Product Management - 3Com
Bill Miller - VP, Prod Mgt & Mktg - Digium
Tony Pereira - Business Leader Business Communications - Nortel

---

Session Title: Social Networking Meets Enterprise Communications
Date: 3/19/2008
Time: 10:30 AM
Room: Osceola C
Session Description: It?s no secret that world of enterprise communications is undergoing a transformation; IP Telephony and Unified Communications are changing the nature of the game. Now new forms of interaction, which began in the consumer/personal communications market -- blogs, wikis and online services like Facebook ? are migrating into the enterprise. Where do these social networking systems ? and mindset ? fit into the enterprise communications landscape? Join us for a discussion about what?s real today and what?s likely to happen in the future.
Panelist(s):
Dan York - Dir of Emerging Comm Tech - Voxeo
Irwin Lazar - Principal Analyst & Program Director, Collaboration & Convergence - Nemertes Research

Technorati Tags: voicecon, voiceconorlando, asterisk, opensource, socialnetworking, communications, danyork, irwinlazar

FYI, I will be down at VoiceCon Orlando on March 17-20, 2008. I'm moderating two panel sessions (see the schedule). First, up, bright and early at 8am on Tuesday, March 18th, I'll be moderating a panel on "Top VoIP Security Threats". This should be a fun one as it has VOIPSA Chair Dave Endler, Mark Collier of SecureLogix and Sachin Joglekar of Sipera Systems. I know all three of the guys, particularly Dave and Mark who have both worked on VOIPSA matters, and this session should be a good bit of fun. I'm planning on making it a rather interactive session. :-)

At the other end of the show, on Thursday, March 20th, at 11:45am, I'll be moderating a panel "Open Source for Enterprise Voice: How Much, How Soon?". This would should be interesting because it has Bill Miller from Digium (makers of Asterisk), who I know well, and M Raza from 3Com... and then Tony Pereira from Nortel! 3Com's presence on the panel isn't particularly surprising given their relationship with Digium, but it will be interesting to see Nortel's view on the matter.

All in all it should be quite an interesting show. Lots of good sessions and, I'm sure, interesting people to meet. If you're going to be down there, please do drop an email as I'm always interesting in meeting readers of the blog.

Technorati Tags: voicecon, voxeo, voipsa, securelogix, sipera, 3com, digium, asterisk, voip security, open source

Over on the Voice of VOIPSA blog today I posted about a new session has been approved for the IETF 71 meeting coming up in Philadelphia in March called "Reducing Unwanted Communications using SIP" a.k.a. "RUCUS".Hannes Tschofenig, who submitted the proposal, has created a RUCUS web page and is looking for feedback. I'm planning to be at the RUCUS session at IETF 71 and would encourage others who want to talk about voice spam / SPIT to join in as well!

Technorati Tags: rucus, spit, spam, voice spam, voip, voip security, security, ietf, standards

If any of you will be in Miami next week for Internet Telephony Expo, I will be speaking on VOIPSA's behalf at Ingate's SIP Trunking Seminar Series held in conjunction with IT Expo. Predictably, my session from 8:30-9:45am on Thursday, January 24th is titled "Seminar/myth 1: VoIP is not secure".

If you are going to be down at IT Expo, do check out the full schedule for Ingate's SIP Trunking Seminar Series. They have a good range of speakers and the seminars are free.

If any of you are attending either IT Expo or the SIP Trunking Seminar Series, please do drop a note as I'm always interested in meeting readers.

Technorati Tags: sip, sip trunking, ingate, itexpo, conferences

Today at Fall VON in Boston, Jeff Pulver hosted a special version of his Pulver TV show where he interviewed a number of people from the conference including me. First up was Jason Calcanis of Mahalo fame. Next was James Tagg, Founder and CEO of TruPhone. I followed and then the show wrapped up with Bob Frankston who is perhaps most widely known as one of the inventors of VisiCalc.

My part of the show starts at 14:30 and goes until 23:24. (When I nicely leave the stage without taking off the lapel mic! Oops! Sorry about that... ) We talked about my presentation at VON (on Thursday), application platforms like Facebook, my new role with Voxeo, social media in general and much more. It was a good bit of fun to do and I have to thank Jeff for giving me the opportunity to participate.

Technorati Tags: applications, danyork, facebook, fallvon, socialmedia, socialnetworking, voip, voip security, voipsa, von, voxeo

Whenever I'm using Skype, I have the "Display technical call info" setting enabled so that I see technical stats about the calls I am on. Those windows tend to stay around after a call... and I noticed this one still around with an identity of "securesip". (click on the image for a larger version) I've tried to replicate this with calls that I've recently made to see if I could get the window again, but can't seem to do so. Anyone know why I might be seeing this?

I'm curious...

Technorati Tags: sip, skype, voip security

I'm in Boston this week at Fall VON. I'll be speaking on Thursday at 12:45 on (predictably) " Strategies for Solving Security". If any readers are at VON, feel free to drop a note. I'm always interested in connecting with readers.

Technorati Tags: conferences, fallvon, voip security, voipsa, von

In a few hours I'll be boarding a plane back to New York where I'll be attending Interop New York this afternoon and tomorrow. If any of you reading this will be there, please do drop an email. Tomorrow, I'll be on a panel at 2:45pm with Jonathan Rosenberg about "Voice-oriented Attacks". (Side note to Interop: Please make it so that we can link to individual sessions instead of having to link to the entire list of "security"-related sessions!) If you aren't aware of who Jonathan Rosenberg is, he works for Cisco and is a huge contributor to IETF efforts related to SIP and in fact was one of the co-authors of RFC 3261 which is the primary RFC defining SIP. He's also the author of "The Hitchhiker's Guide to SIP" which aims to help guide people through the maze of the many, many documents that now are part of "SIP". More relevant to tomorrow's session, he's also the author of a series of NAT traversal protocols for SIP, namely STUN, TURN and now ICE. Eric Krapf, the moderator of the session, is aiming to make it a more interactive and discussion-focused session (i.e. no slideware-to-death)... we'll see if we can make it fun as well. I've also asked Interop for permission to record it and run it as a Blue Box podcast - we'll see if they give me permission.

Note that if you are a CISSP, the ISC2 is holding a member reception today (Wednesday October 24, 2007) starting at 5:30 PM in Jacob Javits Center Room 1EO2 - LEVEL 1. Assuming that everything works with my flights today, I'll be there.

I'll even have some new business cards to give out... ;-)

Technorati Tags: cisco, conferences, danyork, interop, jonathanrosenberg, voip, voip security, voipsa, voxeo

Well, I just confirmed my travel schedule - I'm going to go have a bit of fun out at AstriCon 2007. AstriCon, for those who aren't aware, is pretty much the premiere event for Asterisk developers. I'm scheduled to speak on Thursday about (surprise!) VoIP security. My talk is an "industry perspective" in my capacity as a board member of the VOIP Security Alliance and won't be specifically Asterisk-focused, although I will include a few pieces about what you need to think about with Asterisk and the holes that Asterisk still needs to fill (like, oh, SRTP, which I know is coming). I know Mark Spencer and a good bit of the Digium crowd, so it will be fun to hang out with them (especially given my new independent status).

If any of you reading will be out there, please do feel free to drop me a line so that we can connect.

P.S. After AstriCon, I'll be heading over to the Podcast and New Media Expo in Ontario, CA. If any of you will be there, please do drop a note as well.

Technorati Tags: asterisk, astricon, voip

Over on Blue Box, I uploaded on Friday what I consider one of the best overviews about SIP security that we've done: Blue Box Special Edition #20.  I recorded the interview out at VoiceCon San Francisco in August and it's with Cullen Jennings who is a Distinguished Engineer at Cisco Systems, but more relevant to SIP is one of the Area Directors for the Real-time Applications and Infrastructure (RAI) area within the IETF.  Basically all of the proposals for RFCs relating to SIP roll up under the RAI area.  Cullen's also quite interested in and knowledgeable about security and in fact several of the security-related RFCs related to SIP include Cullen as one of the authors (as do a number of the current proposed Internet-Drafts). 

So he knows his stuff... and being a frequent presenter, he's also good at distilling complex things down into more simple descriptions, so it was an enjoyable interview that I think you will also find quite educational.  If you're working with SIP, or considering it, I'd highly recommend you listen to the show.

FYI, for those of you attending the Internet Telephony Conference & Expo in Los Angeles on September 10-12, I'll be participating in a panel session that is part of Ingate's SIP Trunking Seminar Series.  I expect it will surprise no one to learn that I'll be on the panel about "Enterprise Security and VoIP" wearing my VOIP Security Alliance hat.  My particular session is Tuesday, September 11, 2007, from 9:30-11:00 am.  (And yes, I guess it is appropriate in a way to be talking about security on 9/11!)   More details and the schedule are available online.

The sessions are free and open to anyone to attend.  Simply fill out the pre-registration form.

 Since I have written here about the new Skype clients for the Blackberry, such as iSkoot and IM+, and questioned the security of those clients, I feel compelled to note that Jim Courtney over at Skype Journal, who also writes a good bit about Blackberries as well as Skype, has posted his response to the issue on Friday:  "Security, Skype and the Blackberry".

I still suffer a lingering uncertainty, but I'll admit that Jim's digging does seem rather persuasive.

Just out yesterday, TMC.Net published an interview with me titled, "Security and Disaster Recovery for IP Telephony Systems", by Mae Kowalke, where I talk about general VoIP security issues and then get into specifics about Mitel solutions.  Given that the author nicely gave me the chance to review the text and offer feedback before she published it, I have to say I'm pleased with how it came out. :-)

(And yes, I normally blog about VoIP security over on the Voice of VOIPSA weblog, but I just field weird about posting something like this over on that site.)

FYI, on the week of July 29th - August 2nd, I'll be down in Hollywood, Florida, at the annual conference of the Association for Communications Technology Professionals in Higher Education (ACUTA).  I will be speaking on... surprise!... VoIP security!  There look to be a great number of interesting talks on the schedule, and so I'm looking forward to wearing my CTO Office hat (versus my pure "VoIP security" hat) and listening to and learning from what many of the folks involved with deploying leading-edge IP communications technologies in the education space are doing.   There will, of course, also be some security talks of interest.

If any of you reading this weblog will be down there at the ACUTA conference, please do feel free to drop me a note, as I definitely do enjoy meeting with others who connect through the social media space.

P.S. And yes, Florida in late July/early August is definitely not my idea of a fun place to be... good news is that we'll be indoors!

FYI, while I don't usually write a whole lot about Mitel here, I do in fact work for Mitel and after I return from a week of vacation I'll be heading down to Las Vegas on Monday, June 25th, to speak at our Mitel Forum event for resellers, consultants and analysts.  If any of you who read this weblog will be down there, I'll look forward to seeing you there (and please say hello).  You'll find me giving presentations on... gee.... "VoIP Security" and "Business Continuity"!  (Surprise, surprise...)  Should be a very good event.

In a few short hours, I will be catching a plane heading out to Fort Huachuca, Arizona, to swim in an alphabet soup of very different acronyms and jargon than my normal work - the "OSD-Sponsored, JITC-Hosted DOD Telecommunications Services Information Conference".  As noted on the page:

The purpose of the conference is to provide an open forum where DOD and vendor representatives can discuss issues related to interoperability of systems providing DOD Telecommunications Switched Services.

The conference will present the current program and discuss ongoing developments to the interoperability certification and information assurance procedures and test documentation. Other topics for discussion include emerging technologies, standards and their integration into the systems providing DOD Telecommunications Services.

I attended last year as well and it's definitely an interesting experience.  The US DoD is really doing some intriguing things with how they make use of VoIP / IP Telephony.  Obviously security is rather important.  They are also driving IPv6 adoption into their infrastructure and so, with the June 2008 mandate only a year away, it will be quite interesting to hear where they are with regard to IPv6 adoption.  Obviously, their huge size and buying power is of strong interest, so the number of vendors will no doubt be high.  Also, and I would think "obviously", I won't exactly be writing about things that I hear or learn there.

If any of you reading this happen to be out there at the conference, do drop me a note as I'm always interested in meeting readers or listeners.

Over on the Voice of VOIPSA weblog, I just posted "Ready or not... here come the IRC-controlled SIP/VoIP attack bots!" Given the sheer number of VoIP security tools out there, I think I and most others involved with VOIPSA figured it was only a matter of time before someone automated the attacks.  Did I hope that the creation of "bots" could have held off for a bit longer?  Definitely... but we have to play with the cards we are dealt.

I tried in the article not to hype the threat... that we are aware of, there are not massive botnets out there waiting to attack VoIP systems.  But there is now a proof-of-concept "bot" out there and those of us dealing with VoIP security have to look at how that could impact us.

And it's definitely a sign that we as an industry really have to get security locked down on SIP systems!

I posted Blue Box Podcast #56 tonight and with it Jonathan and I are beginning a series of mini-tutorials on subjects related to VoIP security.  In this show, we talked about voice encryption. In the next show (already recorded) we will talk about signaling encryption.  The idea is to cover some basic ground so that people not familiar with the area can have a basic understanding.

Just glad to get that one up - tomorrow I'm going to work on #57 to see if I can get it online for Wednesday.  We're trying hard to get back on a weekly schedule.  (#56 was intended to go up last week.)

I just realized that I never wrote here that an article I wrote recently came out online.  Published in Mitel's "Presence" magazine, it's titled "Using IP Communications as a Tool for Disaster Recovery and Business Continuity".  Okay, so the title's not overly catchy, but here's the first paragraph:

If a hurricane devastated your main office, how rapidly could you restore telephone connectivity? If a branch office had a fire or other disaster, how soon could you connect back into the main office? Or if Avian flu or some other pandemic created a situation where you needed to stay out of the office, could you access remote phone capabilities equal to that at the office? How long would it take your business to recover? How much (and how many customers) could you afford to lose in the process?

I go on to talk about why IP communications/IP telephony/VoIP fundamentally changes the traditional way you might address these issues and offers tremendous benefits.  In fact, to me, the ability to put an IP phone pretty much anywhere you can get an IP address remains one of the major - if not the single biggest - disruptive aspect of IP telephony/communications.  Remove geography as an issue and suddenly things like disaster recover and business continuity take on a whole different view.

While it's in a Mitel publication, there's nothing in the article that is really Mitel-specific.  Listeners to Blue Box or readers of Voice of VOIPSA probably won't find it terribly new since I've been talking about this before in those sites... but for those of you not familiar with DR and BCP and how VoIP can change that, I think you'll find it a useful read.

Over on the Voice of VOIPSA weblog, security researcher Shawn Merdinger is 2/3 of the way through a series of posts on the "top 11 VoIP security issues you need to discuss with potential vendors".  His posts are:

• Pucker Up - Intimate VoIP Phone Security Questions, Part 1 of 3 (1-5)
• Pucker Up - Intimate VoIP Phone Security Questions, Part 2 of 3 (6-8)

with the third post coming at some point soon to cover points 9-11.  Shawn's posts are definitely "required reading" for anyone working on or concerned about issues around VoIP security.  He's done a great job bringing into one place the many questions that you should be asking VoIP/IP telephony/IP communications vendors about the security of the systems you are considering (or have already deployed).

ComputerWorld in Australia came out with an article today headlined "Enterprises must avoid IP telephony for teleworkers or face attack".  Given that I use a secure teleworker phone on a daily basis, I was immediately struck by the headline and felt compelled to write a response over on Voice of VOIPSA: "Why Computerworld.au is dead wrong about... ".  I think you can gather my opinion from the title.  It will be interesting to see if there is any response from ComputerWorld (I've emailed them the link).

The sad thing is that outside of the headline, the rest of the article was more or less okay. Just a bad headline...

So "the talk" finished around 11:15am this morning... I've just been straight out and unable to blog until now.  The "Black Bag Security Review" was fun to do and I've been receiving a great amount of positive feedback and kind words from folks here.  As you'll see below, I'm going to include the slides here in Flash (I finally get a reason to experiment with SlideShare!).  I'll put a PDF up here as well once I get back to Vermont.  It seems that after my laptop was reformatted, I never re-installed Acrobat to do PDF exports.

However, the slides aren't really that much use without the audio, but I'll be putting the audio up on Blue Box sometime in the next week or so and will post an update here with a link. 

Had a couple of interesting questions and points of feedback about the talk (and things I noticed):

• Yes, there were actually 243 slides and yet it came in a hair under 15 minutes.  This is a very different way of presenting than a "traditional" deadly PowerPoint presentation.  More slides... minimal text... fast transitions.  The point is to accent your story and leave the focus on you and what you are saying.  Keep people focused on you and the story you are telling... not getting them lost in reading a slide full of text.  One or two words maximum on a slide.
  
• Someone commented that the preso was like something from Lawrence Lessig. Indeed, he was definitely someone whose style I have always deeply appreciated and yes, my style was similar to some of his presos.  I've been integrating "story" elements into presentations for a good number of years whenever I can and every once in a while I get to do a preso like this one today that is entirely in a minimalist style focused on a story.  Similarly I've always appreciated Cliff Atkinson's work with "Beyond Bullets" encouraging people to focus on a story versus bullets.  Lawrence Lessig is definitely a master of the style and I admire what he does.  When I first saw him at one of the Open Source conferences, it really showed to me the power of the delivery form - and I knew I was in the presence of a masterful presenter. If you want to see him in action, check out his "<free culture>" presentation available from EFF.  (It is also well worth a listen for the subject matter as well.)  So yes, there was a definite similarity... I like learning from the masters, and he's definitely one in this style of presentation.  Personally, I wish more people would present this way.
  
• On technical issues, someone pointed out to me that SysAdmin Steve's VoIP system would have been secure "out of the box" with any of today's enterprise IP-PBXs.  He stated that any of the recent enterprise systems from my own employer, Mitel, or from Cisco, Avaya, Nortel or others would provide most all of the security Steve needed.
  
  He's right to a degree... with any of those enterprise IP-PBXs the system could have been secured right away.  But the question is whether or not they are secured by default.  In my story, the IT staff who implemented the VoIP system (and subsequently quit) installed it without any security.  Perhaps they installed it and didn't enable required security options.  Perhaps they turned the security features off.  Perhaps the IP-PBX didn't have it in the first place.  I didn't get into naming vendors... I was really painting a worst case. Now I know that in Mitel's case, encryption of both voice and call control is enabled by default and you actually have to work at it to turn it off - and while encryption doesn't solve all the problems, it solves many and makes others harder.  I don't actually know about the default posture of recent Cisco, Avaya and Nortel switches, but if things like encryption are not on by default, there are definitely options to turn them on.  All of the major venders in the enterprise IP-PBX space have the capability - TODAY - to provide secure VoIP.  We have to, because enterprises demand it.
  
  That was really part of the point that I was trying to make - you can implement secure VoIP in the enterprise today (at least up to the SIP trunk space).  You'll note that SysAdmin Steve did enable all those features in whatever IP-PBX he had.  So in the end, he did  have secure VoIP.
  
  It was good feedback, though, and should I do another talk like this, I might consider adding a slide that explicitly mentions that enterprise IP-PBXs today can address these issues.
  
• Another person asked about why I focused only on SIP.  Well, the answer is pretty much...  15 minutes.  That's the amount of time I had to do this talk.  In the 90 minute session that Jonathan, Shawn and I did back on Tuesday, we discussed how while these tools focus on SIP, there are others for the other protocols, and some like the RTP attacks are rather independent of the signalling protocol.
  
• One thing I noticed... in an effort to get done in my allotted time, I did not have an introductory slide about me.  I thought about it, and actually had one in one rev of the deck, but then killed it to just jump right into the story.  While this worked great for the flow of the story and also for keeping on time, it had the unintended effect of causing at least one writer to assign me an affiliation.  VoIP News was doing live blogging of the show and wrote this: "Dan York of CIISP is talking about the security challenges in VoIP..."  Welllll... not quite.  CISSP is really the premier security certification... but hey, I give VoIP News a lot of credit for doing "live blogging"... tough to do. And my mistake... another time I'll put in an affiliation slide at the beginning.
  
• Speaking of affiliations, I was a bit disappointed that at the very end, the AV guys killed off my almost-final slide and put the ETel transition slides up there before people could really see my slide title and the URLs (shown on right).  I thought it was just a great little nod to the Canadian heritage of my employer!  (And I was hoping people could see the URLs for more than 2 seconds...) Ah, well!
  
• And yes, this is "Part 1" of "The Story of SysAdmin Steve"... "Part 2" will have to wait for another conference!  ;-)

With that, I'll end the commentary and just try out the embedding of the SlideShare object.  Like I said, it doesn't really do a whole lot without the audio... but I'll put it up here for folks who want to check it out:

Comments, feedback and opinions are definitely all welcome.

Today starts the first day of ETel, a.k.a. O'Reilly's Emerging Telephony conference. ETel is not one of the giant conferences... unlike one of the VONs, Internet Telephony or VoiceCon there will probably only be 500-1000 people here.  But that is part of the charm, really (and this is only the second year)... it's a place for the VoIP alpha-geeks to network, promote their visions, combine their visions, socialize and otherwise just learn a heck of a lot from each other.   The schedule is packed with great info... the speaker roster is a veritable "Who's Who" of people playing in the "Voice 2.0" or "Telephony 2.0" (or <pick your cliche term>) space.  All in all, it's one conference I've been very much looking forward to.  Just in town last night, I've already run into Alec Saunders, Brad Templeton, Bruce Stewart, Surj Patel... had dinner with Blue Box podcast co-host Jonathan Zar and security researcher Shawn Merdinger...   I know Ken Camp is around, Andy Abramson, Om Malik and so many others... it should be a great and fun conference.

For my part, I am doing two sessions.  First, today at 1:30pm Pacific, Jonathan, Shawn and I will be doing a 90-minute workshop on VoIP security, primarily from an industry-wide VOIPSA point-of-view.  We'll go over the main issues around VoIPsecurity, talk about the threats, tools, best practices and more.  We're hoping to do it more as a fun conversation rather than a dry panel... you'll hopefully get to hear the results later yourself as I'll be recording the session for distribution as a Blue Box podcast.  O'Reilly has graciously given that permission again which is wonderful. (And I, of course, brought all my field recording gear.)

One of the things the three of us will also be doing is talking about a list of VoIP security tools that VOIPSA has been developing... stay tuned for more on that.

Then on Thursday I have my "general session"... my "15 minutes of fame" (or infamy) from 11-11:15am in front of the entired assembled crowd... where I will attempt to digest into that brief time the salient points about VoIP security.

I am actually VERY much looking forward to this session because I've done my presentation in a completely different style from any other presentation that I've given publicly.  I'm going to tell a story... and do so in a way that should be both fun and entertaining... and will also get the points across.    I'll say little else... except perhaps to dangle the tease that it comes in at over 200 slides yet clocks in at only about 11 minutes right now. (have to leave time for questions, eh?)    Like I said, completely different style from other presos I've given... but I'm very much looking forward to it.

Will I succeed?  Or will I fall flat on my face before several hundred of my peers?  Stay tuned...  ;-)

Noticed today that Tom Keating has a review up on "pbxnsip", which has the interesting twist of being a low-cost PBX solution running on Microsoft Windows.   Most other inexpensive or open-source software-only PBX solutions tend to run on Linux, and indeed, pbxnsip does have Linux versions (and apparently NetBSD although they are not listed... perhaps they just run the Linux version).  I first actually learned of pbxnsip some time ago at one of the various VoIP tradeshows when I was struck by the fact that they were advertising security as the main point in big letters on the background to their booth. In fact, security is #2 on their list of "reasons to buy":

It addresses security. The pbxnsip PBX uses https, sips, SRTP and sdes to make the communication to your PBX secure. Using sdes-capable devices, your voice calls will stay as secure as your https traffic.

Well, gee, given my background, it's not hard to imagine that any vendor that basically leads with security gets some extra points in my book.  (Especially since doing so has the potential to paint a big red target on your back to all the attackers out there who like to debunk claims about security.)  I've not played with it myself, but Tom's review does indeed make it sound interesting.

I guess I'll have to add it to the (huge) list of things to check out...

Thanks, Tom, for as usual providing your very thorough reviews - you definitely help a lot of the rest of us.

UPDATE: I knew there was another reason I knew of pbxnsip... CEO Christian Stredicke has been on the VOIPSEC mailing list for quite some time, although I recall hearing from him primarily when he was with snom technology.

I have to blame Aswath.  Back in December, he posted a short piece wondering about the use of OpenID in SIP authentication.  He contacted Jonathan and I in regard to Blue Box and asked for our comments. We discussed it on Blue Box #48 (at 15:50 in the show) and basically said "well, it's interesting, but there's no trust model so we can't see how it would really work".  I had some further brief email exchange with Aswath, and then somewhere in there he came out with his proposal for extending OpenID use into communication systems.  Again he dropped us a note, and again, even with posts like that of phoneboy, I still hadn't gotten over my concern about trust - and we discussed it again in the soon-to-be-issued Blue Box #51, along with a comment from a listener.

But there was something there that kept nagging at the back of my brain... and then as Microsoft announced support for OpenID out at RSA... and then as AOL is talking about their plans...  along with a hundred other smaller indicators... all of it has made me realize that I've needed to "go deeper" on what OpenID is all about and how it works... and how maybe, just maybe, there might be a role for it in VoIP.

I'm not there yet, but I'm definitely in the middle of the deep dive.  I've told Aswath that I'd get him a longer response - and I will - once the journey has gone a bit further.  In the meantime, those of you who want to follow along can watch my del.icio.us trail on openid... it keeps getting longer.

If you have no idea what OpenID is about at all... think about all the websites you go to and all the different usernames and passwords you have.  What if there was a way to have just one identity you could use everywhere?  That's one of the ideas behind OpenID.  Here's some good places to start if you know nothing about it:

• Screencast on how to use OpenID
• Video from ETech 2006 - "Who is the Dick on your site?" by Dick Hardt of Sxip Identity (nice history of identity efforts)

Lots to learn out there...

Fans of Blue Box have to be aware that I'm a wee bit behind in posting episodes... so I was delighted to finally get Blue Box #50 uploaded yesterday.  I still need to finish putting the show notes up there, but at least the show is out so that people can listen to it.  Given that we recorded it January 17th, it has already aged a bit.  Tonight or tomorrow I'm hoping to get #51 up... and then #52 has already been recorded as well... I'd like to get caught up before going out to ETel where I'm undoubtedly going to get more recordings for special editions.

I've long enjoyed Richard Zhao's posts at "Telecom, Security and P2P" because, living in Beijing and working for Lenovo, he brings a distinctly different view into the global conversation.  For instance, earlier this year he posted about Chinese security standards, something that few of us outside the country would probably have noticed or commented on.  However, as he mentions over on his Chinese language blog (in English), access to Wordpress.com, where he previously had the blog, is apparently being blocked or degraded in China.  So he has now moved his blog to:

http://sbin.cn/blog/

As the title states, he covers primarily telecom and security.  Do check him out...

Right before the holidays I had sent in to Alan Shimel a contribution for a special episode 26 of his "Still Secure After All These Years" podcast.  In this episode, he asked a number of us in security field to give their thoughts on major issues of 2006 and predictions for 2007.  Mine were predictably about VoIP....  but many others ran across the whole field of information security.

Kudos to Alan for pulling it all together and producing the episode.  Makes for interesting listening.

 

Earlier this week I uploaded Blue Box Podcast #48, where Jonathan and I go beyond just talking about the news to also review the "top VoIP security news stories of 2006" and also get into our predictions for 2007. My prediction #1 will be fairly obvious for anyone who has listened to the show for a while. We also cover the typical range of VoIP security stories, talk about OpenID for caller authentication and many more things.

This was a bit frustrating of a show to post-produce. Post-production is always a somewhat lengthy process, anyway, because I want the enhanced audio that you get from a wideband codec, which means that we use Skype. However, Skype creates its own challenges with voice that will simply fade away or get garbled. It's fairly routine that we have to disconnect and reconnect a time or two within the space of the hour in which we are recording the show. (That's actually apparent in this show where Jonathan's voice is at a lower level and then suddenly is much louder. After the reconnect, he wound up with more volume.) If I could get the audio quality in a softphone without the fade outs, I'd probably drop my post-production time by a good bit.

However, this week I couldn't blame Skype. I record the show in Audacity and it appears that because I had been previously editing a file located over on a USB hard drive, Audacity started writing its files for the new episode over on that hard drive. As anyone using Audacity will know, it writes a huge number of files to disk. Basically many, many little files with small pieces of audio in them. What seems to have happened is that periodically parts of the audio didn't get written. Or the files got destroyed. Or who knows what. Perhaps I had too many other apps running on the older computer I'm using for recording and Audacity couldn't keep up with what was being sent to it. Perhaps there was too much latency going to the USB hard drive. I don't know, but the end result was that there were gaps in the audio that got worse as the show went on. Just missing pieces of audio.

Unfortunately, I discovered it after the holidays were already underway and I couldn't really reconnect with Jonathan to rerecord. And also unfortunately, I wasn't running a backup record as I have in the past.

Given that my goal is high-quality audio production, this was a rather disappointing turn of events, but in the end I did put it out there with a big caveat in the show notes.

We just recorded show #49 today and I made sure to have nothing else running on the PC, to be writing to the main hard drive and to have a backup recorder. Hopefully I'll not experience the issue again.

Technorati Tags: security, skype, skype security, openid, voip, voip security, voipsa, voipsecurity

As I noted in my Voice of VOIPSA post today, Mark Collier (of hackingvoip.com fame) took some time in December to give www.voipsecurityblog.com a graphical makeover. He's got a cute new header image and an updated picture of himself. Although, Mark, I really have to say... you are violating the security "code of dress"! Don't you know that all good security people are supposed to wear black? Preferably a black turtleneck? Come on, now, you're going against the motif!

Ah, well... in any event, if you haven't checked out Mark's blog, it's a good one... even if he is wearing white. :-)

Technorati Tags: security, mark collier, voip, voip security, voipsa, voipsecurity

As I wrote over at Voice of VOIPSA, I was quoted in an article out today at VoIP News: How Secure Are Your VoIP Calls? The Voice of VOIPSA post has my (generally positive) reaction.

Technorati Tags: voip, voip security, voipsa, voipsecurity

Blue Box Podcast #47 is now available for download. In this show, Jonathan and I talk about some of the recent articles and reports hyping VoIP security, recent comments from SANS about the need for better VoIP security training, moves by the Indian government to block Skype and other VoIP services and much, much more. Tons of listener comments in this show... probably the most we've ever had. See the show notes for all the links and info.

Technorati Tags: skype, voipsecurity, voip, voip security, voipsa

(Originally posted at http://dyork.livejournal.com/257414.html)

 

Technorati Tags: blue box, bluebox, security, ken camp, voip, voip security,