Disruptive Telephony

Over on his blog, Jeff Pulver asks "Do you prefer softphones or IP phones?", which is a great question to ask.  What do you think?

I left a comment there and then started writing a longer blog entry - but I just don't have the time to complete that particular entry, so I'll have to stick it in the queue for a future article.  In the meantime... do head on over to Jeff's site and leave any comments you have.  It's definitely an interesting question. 

A colleague pointed me to this Engadget story (which, in turn, points to this BBC article) about the fact that BT will soon be allowing UK owners of Sony PSP game consoles to use their PSP to make voice and video calls to other PSP users and eventually to any other phone number.  Per the BBC article (which also includes a nice little video showing this in action)

The software has been developed by BT and will eventually allow PSP users to call PCs, fixed lines and mobiles.

Initially the service will only be available in the UK and will only work on home or BT wireless hotspots.

Currently, there are around 2,000 of these situated in airports, railway stations, hotels and fast food restaurants.

Interesting move by BT.  The cameras were apparently to be available from Sony May 25th but this service from BT will not be available until more details are announced at a conference in August.  Certainly there's a strong potential user base there:

More than 24 million PSPs have been sold around the world, with more than eight million of those sold in Europe.

And the article states that BT says that this software will be distributed to telecom companies in 100 other countries (for, one would imagine, some type of licensing fee), so it will be interesting to see how many of those PSPs actually do turn into VoIP endpoints.

FYI, if you stumble upon some of my posts appearing over on a site called CircleID, that's okay... they aren't stealing my content... I have given them explicit permission to republish my entries.  One of the folks involved with the site, Ali Farshchian, contacted me originally after I posted the SIP Botnet story to the Voice of VOIPSA weblog asking about permission to republish that story (which he subsequently did).  He later re-published another post of mine and in further discussions I granted my permission for him to republish future stories if he notified me after doing so.   I'm normally a bit concerned about publication of my content on other sites, but in this case I do like the overall focus of CircleID on issues relating to Internet infrastructure - and I'd definitely suggest you give it a read as many of these issues around domains and just infrastructure issues in general will affect us all.  (And some of the stories are just plain interesting because they deal with the "plumbing" of the Internet and the dark clouds that we don't normally venture into and really only know that "magic happens" somewhere inside them and this thing we call the Internet just works.)

Yesterday, Skype announced a new "Small Business Pack" available in 12 European countries - and also indicated that you could become a Skype reseller to sell this pack.

Phil Wolff over at Skype Journal has more coverage and raises some good points that are unknown about the reseller program.  (And FYI, in the interesting way all this happens, my "tip" to him was in the Skype public group chat that Phil has hosted for months when I asked him if he'd heard of this new pack.)

To me, this represents another new method for Skype to look to get into the business market.  It's not entirely clear to me how many resellers will really pick it up, since the pack really only represents a 50-euro savings, but I suppose on one level it's something they can at least sell.  It's also not clear to me exactly why a reseller would be needed since you can also order the pack directly from Skype's online web site, so even with volume discounts, there would not seem to really be a whole lot of margin in it for a reseller. Maybe there are, as Phil writes, enough "Skype-crazy consultants" out there seeking to sell Skype.  We shall see.

As Jeff Pulver notes today, he'll be once again hosting a big party at his VON Europe Spring 2007 in June in Stockholm.  Jeff's events are definitely always interesting... and I'm looking forward to being at this one.  If you're going to Stockholm, I'll see you there!

 Since Skype has an open client-side API, why not use it as a transport to tunnel VPN traffic and blow through firewalls to connect you to a remote system?  That's the idea raised by Peeter P. Mõtsküla in his Skype Developer Blog entry: "Idea: skypetunnel".    For instance, have a Skype client running on your home machine logged in as one account.  Have Skype on your laptop on another account.  Initiate a connection between the two of them and wind up with secure, encrypted access through the firewall from wherever you are.  Being peer-to-peer, there  would be no central servers or infrastructure required (outside the usual Skype p2p cloud.) This would require, of course, a yet-to-be-created "extra" that connected into the Skype client API and was installed on both systems... but that was the point of the article - to suggest that something like this could be done (and perhaps inspire someone to write one).

It's an interesting idea, although as one commenter noted, it has already been done in a p2p fashion by Hamachi.  I don't know how large Hamachi's p2p cloud (i.e. userbase) is compared to Skype and whether or not that even makes a difference, but the point is that if you are already a Skype user, this would be a way to make use of your existing tools without using another tool.

This whole concept, though, is part of the side of Skype that is admittedly a bit scary for those of us in security, and specifically corporate security.  The client-side API can be accessed by whatever extras a user installs.  All Skype traffic is encrypted, naturally, so a corporate IT security person has no way to know what is going across that connection. Whatever the user installs and allows to access the API gets to use that encrypted Skype connection. If a user installs this fictional VPN Skype extra, the user could then access their corporate desktop from wherever they are - without going through the "approved" VPN gateways... and at the mercy of the security of that fictional VPN "extra".  How well is that "extra" secured?  Could someone else using the extra connect to your corporate desktop PC and initiate a VPN?  What kind of authentication is part of it?

Yes, with Skype's business version, you can use Windows' registry settings to control access to the API, but this means that: a) the company would need to essentially "endorse" Skype usage by promoting the Skype for Business edition; and b) the company would need to somehow block all installations of the "regular" version of Skype.  I guess I don't see that happening - yet - in many corporations.  I expect they will probably continue to take the very black and white approach of attempting to block Skype entirely from their corporate LAN... or just ignoring the issue and letting Skype be installed if users do so.  This latter case is where the Skype client API gets a bit scary.

We'll see.  I agree with the article author that it's a rather logical extension of the Skype p2p cloud.... it will be interesting to see if someone does come up with a VPN "extra" for Skype.

By way of a Twitter post today, I learned that Dave Troy has unveiled "Talking Ruby", a new site promoting information about the integration of the Ruby language with telephony, collaboration and messaging.  I've always been intrigued by Ruby (and also Ruby on Rails, which has been one of the most visible uses of Ruby), but have yet to really have had a reason to plunge in and play with it.  Perhaps this will provide an excuse.  Dave indicates on his site the following reasons for using Ruby with telephony:

• Ruby’s DSL (Domain Specific Language) Capabilities are ideal for expressively encapsulating diverse telephony and collaboration technologies
• Inherits the momentum of Rails, so web integration is baked-in
• Cross-platform support (Linux, OS X, BSD, Windows ) unifies application development efforts
• Ruby integration libraries can be easily developed and shared
• DRb (Distributed Ruby) allows for persistent state storage and scaling across servers

I wish him all the best with the new site and do look forward to seeing what people come up with.  The site is a wiki, so if you're interested and Ruby-literate, you can easily jump in and participate (there's also a mailing list).

With my post earlier this month about the possibility of SIP botnets, I've had a number of people asking about more information and wondering about the possible impacts.  And while I will write more on botnets in general, as far as the potential impact of "botnets" in general, one need only look over at the current situation in Estonia:

• Washington Post: "Cyber Assaults on Estonia Typify a New Battle Tactic"
• CNN: "Estonia suspects Kremlin in Web attacks"
• BBC: "Estonia hit by 'Moscow cyber war'"

Now, perhaps Russia is behind the attack... perhaps not. There are obviously much larger political issues going on between the two states.  In the end it doesn't really matter on one level who exactly is behind it... the net of it is that Estonian entities are being attacked in a massive Distributed DoS (DDoS) brought about in part by botnets. For anyone doubting the potential threat, you need only to read through those news articles to understand what can happen.

In fact, I found it interesting that the UK's Centre for the Protection of National Infrastructure (CPNI) issued an advisory today about the DDoS attacks against Estonia, mostly to reassure people in the UK that no attacks were currently being seen against UK businesses.  It also included two links to previous papers written by NISCC (one of the predecessors to the CPNI) about:

• Distributed DoS Attacks
• Botnets - the threat to Critical National Infrastructure

Both make for interesting reading and give some suggestions for how to prepare.

So what does this have to do with telephony?  Well, for starters I'll admit to knowing nothing of Tallinn, Estonia, before Skype entered the picture.  Skype is, of course, headquarted in Tallinn and through things like their Life at Skype blog have provided a view of Skype as a company, but also of Tallinn and Estonia.   Since then I have also learned of other companies coming out of Estonia... certainly seems like an interesting hi-tech place these days.  Now I don't know what, if any, disruption Skype has been seeing from these attacks.  The distributed p2p nature of Skype would argue for there not being much of an impact (except, obviously, to those right in Estonia), but I don't know.

On a larger level, though, it's just a powerful reminder that the botnet threat is very real out there.  And the question is... could your IP telephony infrastructure withstand a botnet attack?  Is your larger IT infrastructure up to withstanding some degree of an attack?  Do you have multiple VoIP gateways?  Could you route around points on your infrastructure that were being attacked?  Do you (gasp) have TDM trunks that could work as backups? 

I don't know if anyone in Estonia has had their IP telephony disrupted by botnets, but odds are if the attacks are as bad as being reported, some companies probably did.  What will you do to ensure your company's IP communication isn't disrupted should botnets come calling?

P.S. For another view on the larger conflict between Estonia and Russia, here's an article (and comments) I found interesting in John Robb's "Global Guerillas" blog: "Russia vs. Estonia: 21st Century State vs State Conflict".

In a few short hours, I will be catching a plane heading out to Fort Huachuca, Arizona, to swim in an alphabet soup of very different acronyms and jargon than my normal work - the "OSD-Sponsored, JITC-Hosted DOD Telecommunications Services Information Conference".  As noted on the page:

The purpose of the conference is to provide an open forum where DOD and vendor representatives can discuss issues related to interoperability of systems providing DOD Telecommunications Switched Services.

The conference will present the current program and discuss ongoing developments to the interoperability certification and information assurance procedures and test documentation. Other topics for discussion include emerging technologies, standards and their integration into the systems providing DOD Telecommunications Services.

I attended last year as well and it's definitely an interesting experience.  The US DoD is really doing some intriguing things with how they make use of VoIP / IP Telephony.  Obviously security is rather important.  They are also driving IPv6 adoption into their infrastructure and so, with the June 2008 mandate only a year away, it will be quite interesting to hear where they are with regard to IPv6 adoption.  Obviously, their huge size and buying power is of strong interest, so the number of vendors will no doubt be high.  Also, and I would think "obviously", I won't exactly be writing about things that I hear or learn there.

If any of you reading this happen to be out there at the conference, do drop me a note as I'm always interested in meeting readers or listeners.

Over on the Voice of VOIPSA weblog, I just posted "Ready or not... here come the IRC-controlled SIP/VoIP attack bots!" Given the sheer number of VoIP security tools out there, I think I and most others involved with VOIPSA figured it was only a matter of time before someone automated the attacks.  Did I hope that the creation of "bots" could have held off for a bit longer?  Definitely... but we have to play with the cards we are dealt.

I tried in the article not to hype the threat... that we are aware of, there are not massive botnets out there waiting to attack VoIP systems.  But there is now a proof-of-concept "bot" out there and those of us dealing with VoIP security have to look at how that could impact us.

And it's definitely a sign that we as an industry really have to get security locked down on SIP systems!