Disruptive Telephony

I mentioned it previously, but James Duncan Davidson has now put the set of photos he took for O'Reilly up on Flickr.  So if you would like to vicariously experience the conference, check out the set.  I particularly liked this one to the right (click for the larger image).  Just a great use of focus and depth of field.  The person in focus is actually Jay Phillips, developer of Adhearsion, a Ruby framework for building applications on top of Asterisk.

ComputerWorld in Australia came out with an article today headlined "Enterprises must avoid IP telephony for teleworkers or face attack".  Given that I use a secure teleworker phone on a daily basis, I was immediately struck by the headline and felt compelled to write a response over on Voice of VOIPSA: "Why Computerworld.au is dead wrong about... ".  I think you can gather my opinion from the title.  It will be interesting to see if there is any response from ComputerWorld (I've emailed them the link).

The sad thing is that outside of the headline, the rest of the article was more or less okay. Just a bad headline...

I was rather dumbfounded a few minutes ago when I went down to the kiosk in the hotel lobby to print my border passes.  After logging in to United's webs site, I was immediately confronted by a big warning message:

Due to cancellations you have been rebooked onto the following flights:

<new flight info>

[No thank you]                                         [Accept this flight]

"No thank you?"  Huh?  You have just been told that due to cancellations you are being rebooked - so why would you NOT choose "Accept this flight?"  What happens if you press "No thank you"?  Could you try another route?  In this case would I have actually been booked on the same flight?  Huh?  (Needless to say, I didn't try it.)

I guess the good news is that I'll be avoiding Chicago tomorrow and flying down to DC (to Dulles) and then from there to Burlington. The other good news is that I'm not going to have to be at the airport at 4:45 in the morning... the bad news is that the flight gets in 2 hours later... but hey, I just want to get home!

When I go to conferences, I usually wind up taking many shots of other people and events, but I naturally almost never wind up with any actual pictures of me. So it was a bit fun to find out that the photographer taking pictures for O'Reilly is posting all the pictures to a Flickr photo set, and that there were a couple of pictures of me included (click on the pictures to go to the Flickr pages and larger photos).  I was a bit amused to see that my mouth was wide open in both of them, but then again, I was in the middle of presenting so of course that would be the case.

I just have to say kudos to O'Reilly for doing the "Web 2.0" or "social media" thing of posting all these photos to Flickr... and tagging them all appropriately.  Given that they are a company that produces conferences like "Web 2.0", it rather makes sense that they would walk the talk, but it's just good to see.

Which of these two photos do you like the best?  I think I like the one on the left a bit better.  Many other good photos of the rest of the conference are part of the Flicker set.

So "the talk" finished around 11:15am this morning... I've just been straight out and unable to blog until now.  The "Black Bag Security Review" was fun to do and I've been receiving a great amount of positive feedback and kind words from folks here.  As you'll see below, I'm going to include the slides here in Flash (I finally get a reason to experiment with SlideShare!).  I'll put a PDF up here as well once I get back to Vermont.  It seems that after my laptop was reformatted, I never re-installed Acrobat to do PDF exports.

However, the slides aren't really that much use without the audio, but I'll be putting the audio up on Blue Box sometime in the next week or so and will post an update here with a link. 

Had a couple of interesting questions and points of feedback about the talk (and things I noticed):

• Yes, there were actually 243 slides and yet it came in a hair under 15 minutes.  This is a very different way of presenting than a "traditional" deadly PowerPoint presentation.  More slides... minimal text... fast transitions.  The point is to accent your story and leave the focus on you and what you are saying.  Keep people focused on you and the story you are telling... not getting them lost in reading a slide full of text.  One or two words maximum on a slide.
  
• Someone commented that the preso was like something from Lawrence Lessig. Indeed, he was definitely someone whose style I have always deeply appreciated and yes, my style was similar to some of his presos.  I've been integrating "story" elements into presentations for a good number of years whenever I can and every once in a while I get to do a preso like this one today that is entirely in a minimalist style focused on a story.  Similarly I've always appreciated Cliff Atkinson's work with "Beyond Bullets" encouraging people to focus on a story versus bullets.  Lawrence Lessig is definitely a master of the style and I admire what he does.  When I first saw him at one of the Open Source conferences, it really showed to me the power of the delivery form - and I knew I was in the presence of a masterful presenter. If you want to see him in action, check out his "<free culture>" presentation available from EFF.  (It is also well worth a listen for the subject matter as well.)  So yes, there was a definite similarity... I like learning from the masters, and he's definitely one in this style of presentation.  Personally, I wish more people would present this way.
  
• On technical issues, someone pointed out to me that SysAdmin Steve's VoIP system would have been secure "out of the box" with any of today's enterprise IP-PBXs.  He stated that any of the recent enterprise systems from my own employer, Mitel, or from Cisco, Avaya, Nortel or others would provide most all of the security Steve needed.
  
  He's right to a degree... with any of those enterprise IP-PBXs the system could have been secured right away.  But the question is whether or not they are secured by default.  In my story, the IT staff who implemented the VoIP system (and subsequently quit) installed it without any security.  Perhaps they installed it and didn't enable required security options.  Perhaps they turned the security features off.  Perhaps the IP-PBX didn't have it in the first place.  I didn't get into naming vendors... I was really painting a worst case. Now I know that in Mitel's case, encryption of both voice and call control is enabled by default and you actually have to work at it to turn it off - and while encryption doesn't solve all the problems, it solves many and makes others harder.  I don't actually know about the default posture of recent Cisco, Avaya and Nortel switches, but if things like encryption are not on by default, there are definitely options to turn them on.  All of the major venders in the enterprise IP-PBX space have the capability - TODAY - to provide secure VoIP.  We have to, because enterprises demand it.
  
  That was really part of the point that I was trying to make - you can implement secure VoIP in the enterprise today (at least up to the SIP trunk space).  You'll note that SysAdmin Steve did enable all those features in whatever IP-PBX he had.  So in the end, he did  have secure VoIP.
  
  It was good feedback, though, and should I do another talk like this, I might consider adding a slide that explicitly mentions that enterprise IP-PBXs today can address these issues.
  
• Another person asked about why I focused only on SIP.  Well, the answer is pretty much...  15 minutes.  That's the amount of time I had to do this talk.  In the 90 minute session that Jonathan, Shawn and I did back on Tuesday, we discussed how while these tools focus on SIP, there are others for the other protocols, and some like the RTP attacks are rather independent of the signalling protocol.
  
• One thing I noticed... in an effort to get done in my allotted time, I did not have an introductory slide about me.  I thought about it, and actually had one in one rev of the deck, but then killed it to just jump right into the story.  While this worked great for the flow of the story and also for keeping on time, it had the unintended effect of causing at least one writer to assign me an affiliation.  VoIP News was doing live blogging of the show and wrote this: "Dan York of CIISP is talking about the security challenges in VoIP..."  Welllll... not quite.  CISSP is really the premier security certification... but hey, I give VoIP News a lot of credit for doing "live blogging"... tough to do. And my mistake... another time I'll put in an affiliation slide at the beginning.
  
• Speaking of affiliations, I was a bit disappointed that at the very end, the AV guys killed off my almost-final slide and put the ETel transition slides up there before people could really see my slide title and the URLs (shown on right).  I thought it was just a great little nod to the Canadian heritage of my employer!  (And I was hoping people could see the URLs for more than 2 seconds...) Ah, well!
  
• And yes, this is "Part 1" of "The Story of SysAdmin Steve"... "Part 2" will have to wait for another conference!  ;-)

With that, I'll end the commentary and just try out the embedding of the SlideShare object.  Like I said, it doesn't really do a whole lot without the audio... but I'll put it up here for folks who want to check it out:

Comments, feedback and opinions are definitely all welcome.

Travelling in the US at this time of year is always a gamble.  This is the time of large storms with snow, ice, sleet and all sorts of things that don't particularly work well with large metal tubes flinging themselves through the air.  The trip out would have been a complete mess had I flown 24 hours earlier... and now the trip back is looking like it has the potential to be... um... "interesting".  I'm leaving very early tomorrow morning flying United... and frequent travellers will immediately realize that flying United pretty much guarantees I'm flipping through Chicago. 

Students of North American geography will take one look at the CNN weather forecast map to the right (click for a larger version) and realize the impending problem.  For those not familar with the layout of our fair land, well... you see where that "L" is?  Designating the center of the storm?  Chicago is just a tiny bit to the right of that... pretty much where the cloud and other symbol is - meaning that it probably won't be a terribly good travel day today in Chicago.  United has already announced "severe weather problems" affecting Minnesota, which is just a bit northwest from the "L", i.e. that's where the storm was yesterday and into today.

We'll see... perhaps it won't be that bad or perhaps they'll work the system issues out by the time I am to arrive there tomorrow....  good news is that I've plenty of work and other things to do to keep my busy while sitting in airports...