Disruptive Telephony

UPDATE: O'Reilly now points over to the post from AOL's John Panzer about this with more details.  It's funny... I read that post yesterday from John, but I don't think the enormity of it sank in until about 5am this morning when I read the post from Fred Stutzman that I reference below.

Wow!  Talk about a major boost for OpenID... continuing my OpenID research, I learned from reading Fred Stutzman (also here) that all 63 million users of AOL Instant Messenger can now use their AIM account for OpenID!  Now, I don't actually use my AIM account all that much these days (my IMs of preference are Skype, Jabber and MSN/WLM)[1], but I had to try it out, so I headed over to stickis.com and logged in using my AIM screen name - as shown in the image to the right.  Simple.  Easy.

Okay, that's fairly cool. My OpenID is simply:

http://openid.aol.com/dyorkottawa

Now the only peculiar thing was that I never saw this screen to grant or deny the access to the site.  The only reason I have this screen capture is because I pressed the Back arrow on my browser because I wanted a screen capture of the login page.  In actual operation, once I was logged into the AOL OpenID page I went directly to the stickis.com page... without actually granting the site access to my OpenID.

Hmmmmmmm...

This happened in Firefox 2, so just to verify the issue, I flipped over to IE7 and tried the same procedure.  Again, I was asked for my AIM password and then... bang... I was logged into the site (without seeing the Grant/Deny screen).  Note that I am not running any AIM client on this PC right now.

Now at the second site I tried this at, schtuff.com (a wiki provider that allows OpenId login), I was prompted to Grant/Deny access... but I was apparently already logged in to AOL's OpenID server.  Of course, I can't figure out how to log out of the AOL "Screen Name Service"... I guess I have to close out all my browser windows.    So given that I can't figure out how to log out, I can't replicate this procedure again (sorry, AOL, but I am not going to exit all my browser windows right now)... so I'd be curious to know if anyone else experiences this.  If you get a OpenID login screen, do you then just go right in?

I'm not sure there is a huge issue... I mean, you are going to the site to login... to a certain degree the Grant/Deny screen seems redundant in this instance.  You still have to go through one screen to allow the relying site access to your ID.  And with subsequent sites it seems to do the right thing and pop up the Grant/Deny screen.  Is the skipping of the initial Grant/Deny screen really a security issue?  (if it turns out to be more than just me?)  I don't know yet...

Anyway, kudos to AOL for OpenID-enabling their system... even if there might still be a few bugs to iron out.

This does raise a larger question, too... who do you use as your ID provider?  There's a long list of OpenID providers, but if you use AOL most of the time for IM, might it not make sense to use them as your OpenID provider?  Or do you want the more granular control provided by some of the others?  Where do you establish your online identity?   It shall be an interesting question to continue to ponder.

[1] My AIM name might give a clue as to why I don't use it as well... I took it out during the 5 years we lived in Ottawa, and, well, I've just never gotten around to getting a new one now that left there 1.5 years ago...

I have to blame Aswath.  Back in December, he posted a short piece wondering about the use of OpenID in SIP authentication.  He contacted Jonathan and I in regard to Blue Box and asked for our comments. We discussed it on Blue Box #48 (at 15:50 in the show) and basically said "well, it's interesting, but there's no trust model so we can't see how it would really work".  I had some further brief email exchange with Aswath, and then somewhere in there he came out with his proposal for extending OpenID use into communication systems.  Again he dropped us a note, and again, even with posts like that of phoneboy, I still hadn't gotten over my concern about trust - and we discussed it again in the soon-to-be-issued Blue Box #51, along with a comment from a listener.

But there was something there that kept nagging at the back of my brain... and then as Microsoft announced support for OpenID out at RSA... and then as AOL is talking about their plans...  along with a hundred other smaller indicators... all of it has made me realize that I've needed to "go deeper" on what OpenID is all about and how it works... and how maybe, just maybe, there might be a role for it in VoIP.

I'm not there yet, but I'm definitely in the middle of the deep dive.  I've told Aswath that I'd get him a longer response - and I will - once the journey has gone a bit further.  In the meantime, those of you who want to follow along can watch my del.icio.us trail on openid... it keeps getting longer.

If you have no idea what OpenID is about at all... think about all the websites you go to and all the different usernames and passwords you have.  What if there was a way to have just one identity you could use everywhere?  That's one of the ideas behind OpenID.  Here's some good places to start if you know nothing about it:

• Screencast on how to use OpenID
• Video from ETech 2006 - "Who is the Dick on your site?" by Dick Hardt of Sxip Identity (nice history of identity efforts)

Lots to learn out there...

Fans of Blue Box have to be aware that I'm a wee bit behind in posting episodes... so I was delighted to finally get Blue Box #50 uploaded yesterday.  I still need to finish putting the show notes up there, but at least the show is out so that people can listen to it.  Given that we recorded it January 17th, it has already aged a bit.  Tonight or tomorrow I'm hoping to get #51 up... and then #52 has already been recorded as well... I'd like to get caught up before going out to ETel where I'm undoubtedly going to get more recordings for special editions.

Have you ever created a "mashup" of telephony applications? Per Surj Patel writing on the O'Reilly Radar weblog, we're going to see some "telephony mashups" out at ETel in just a couple of weeks.  As Surj says:

The competition website is here and we encourage you to enter no matter how silly or brilliant the idea may be. The idea is to spread the word outside of the phone hackers community as to how easy and fun it is to build these hacks. Everything you need to get started you can get from the website. Your phone account (VXML) is free and you have free API's and Toolkits from the sponsors.

If you can write a CGI script then you can hack a commercial style service together in a few hours. Go take a look and investigate. Step outside your daily zone. Let your imagination run riot. Have some fun.

Per the ETel Mashup Contest website, the top 3 mashups will be presented out at ETel.  As the page says:

A telephony mashup is a voice, Web or mobile application (PBX, IVR, VOIP, SMS, Text Messaging, etc.) that combines content from more than one source to create a new user experience. Qualifying entries must demonstrate how an application can use one or more sources of content in an inventive way to benefit users. Any tool or platform that involves content (see StrikeIron or ProgrammableWeb) telephony (ex: VOIP, SMS, Text Messaging, PBX, IVR) can be used to create a mashup. This is uncharted territory, so there is plenty of room to use your imagination!!

The deadline is February 20th... so you still have time!  It will no doubt be both interesting and fun to see what people come up with...

The news today out of the WiFi Alliance was that almost 100 phones have become "Wi-Fi Certified" in their testing from 2004 to the present.  What's interesting to me is that most of those phones seem to be "dual mode" sets designed for the cellular market.  The news release indicates that there are 82 dual-mode phones and 10 single-mode phones... which is a bit puzzling because the list of Wi-Fi Certified handsets shows only 89 handsets, leaving 3 unaccounted for.  Browsing down the list, I can immediately see a WiFi handset for Skype and the wireless Skype/VoIP phones from Cisco/Linksys and D-Link.  One annoying detail - all of the listed models take you to the main home page of the vendor, so you then have to dig to find the phone... would be MUCH better if the link took you directly to the product page of the specific product. I have no idea what some of these phones are (nor do I really have the time/interest to dig for them).

 I don't see the Netgear and Belkin 802.11 Skype phones, nor do I see many of the zillion wireless SIP phones that are out there.  So either: 1) those phones are still being tested by the WFA; 2) the vendors don't see the value in WFA certification; or perhaps 3) the vendors aren't really aware of the certification.  In any event, the net is that there are obviously a lot more 802.11 phones out there beyond this long list.  Nice to see so many dual-mode mobile phones... an obvious sign of the rising reality of Fixed-Mobile Convergence (FMC).

Jeff Pulver was in Los Angeles and visited the Apple Store there... and couldn't find someone to pay!  Ever the social media guy, he seized the moment to make this video and share the experience with all of us:

Just a note to anyone in retail... you, too, (or your absence) might wind up on YouTube someday... the shoppers are watching - and recording!

Anyone reading this blog using the ChanSkype software to connect Asterisk to Skype?  I've not played with it at all myself, but it sounds like an interesting idea.  Here's what they say it can do:

• Call online Skype users.
• Call using SkypeOut.
• Receive up to 30 incoming Skype Calls ("Skype Trunk").
• Bridge with SIP channels.
• Make any number of simultaneous calls (limited only by system resources).

Their FAQ is just a wee bit sparse on details, like, oh, precisely how many simultaneous connections will it support?  Their main page has the text above and on the Buy page they note that corporate licenses are licensed per port up to 30 users and it has this text:

This limitation is not technical, for ChanSkype's simultaneous call capabilities are limited only by system resources.

Which naturally makes me a bit more curious.  It's clear that they are using the Skype client-side API through a Linux Skype client but that's about it.  I would think to support multiple users they would have to launch multiple instances of the Linux Skype client.  Is this what they are doing?

If anyone has played with it, I'd be curious to know how it works.  It's intriguing enough to me that I might just have to revive my dormant Asterisk install.

VoIP News yesterday posted an article "Hacking Skype: 25 Tips to Improve Your Skype Experience" that definitely makes for interesting reading (using "hacking" in the original sense of the word not the criminal one).  It's a good list of the kind of innovative things people are doing with Skype.  Many of them I'm already using... some were new to me and some I don't ever see myself doing (sorry, I don't want a lip-syncing avatar).  Are you using any of these?  What other hacks for Skype have you found useful?

In just a few minutes I'll be getting in today's rental car and heading up to Ottawa for the remainder of the work week for some meetings at the corporate office.

One of the nice things about being up there today is that I'll get to drop in on an OCLUG meeting tonight.  In the most of five years we lived in Ottawa, OCLUG was a wonderful place to meet some really incredible people.  I very much enjoyed the time spent there and the friendships that were formed... and I look forward to seeing many of those folks again tonight.   Not quite sure where the "Beer SIG" will be since the meeting is now out on Woodroffe, but I'm sure there's an appropriate spot somewhere around.

The meeting will be doubly interesting because tonight's topic will be Asterisk, which of course is of great interest to me.  Should be interesting to see what is being discussed. (Not quite sure what Randal will be doing with "Fractal Poetry", but hey, it sounds intriguing, anyway.)

If any of you reading are going, I'll see you at the meeting.

(As I now get in my white rental car to drive up to Ottawa with snow all around... whoever thought up creating white cars obviously missed the fact that in the winter those cars are almost invisible.  Ugh.)

Received a nice email from ISC2 this morning confirming that my Certified Information Systems Security Professional (CISSP) certification is all set for another three years. Having been involved with creating a certification, I find ISC2's process quite interesting.  First, obviously, there is the barrier of obtaining the CISSP credential.  The 6-hour exam is certainly not an easy one as it encompasses an extremely wide area in the 10 domains of the Common Body of Knowledge.  Then there is the professional experience requirement and then the requirement to be endorsed by another CISSP.  Add to that the fact that the exams are not computer-based but rather proctored... and are therefore only scheduled an infrequent intervals.  All in all, it winds up not being terribly easy to obtain the CISSP credential.  Which is part of the point, really.  There have been too many certification mills out there.

Anyway, once you obtain the CISSP, the next part is to maintain the credential.   There's an Annual Maintainence Fee to pay, but that's <$100 and not really a big deal.  Much harder is the Continuing Professional Education (CPE) requirement which is that over three years you have to obtain 120 CPEs.  If you fail to do so after 3 years, you lose your CISSP and have to retake the exam!  Now, it's not overly difficult to obtain CPEs.  You can get them for attending conferences, webcasts, training courses... even, once per year, for reading a security book.  You can also get more for providing training or serving on the board of a local security association.  Really, it's nothing for the normal security professional who is keeping up on the current state of the profession.  And that's the point, really.  ISC2 wants to ensure that someone representing themself as a CISSP does in fact have relatively current security knowledge.  The main issue, I find, is remembering to record CPEs with ISC2!  If I attend a conference or webinar or something like that, I try to remember to go and record that soon thereafter.

In any event... I've blown past the required CPEs... now the counter gets reset and I'll have to start again to have them in place before 2010!  :-)

P.S. Wikipedia, of course, also has more info on the CISSP.