Disruptive Telephony

What is the best way to deploy communications applications? In the hosted "cloud"? On your premises behind your firewall? Or some kind of hybrid approach? Back in February I presented in a Voxeo "Best Practices" webinar on just this topic: Best Practices in Deploying Communication Applications: Cloud vs On-Premises vs Hybrid. While a recording and the slides of the hour-long session have been available on the webinar page, it is also now available via Voxeo's YouTube account:

The great part about YouTube is that you can view it on many different devices, including mobile devices like the iPhone or iPad.

It was an enjoyable session to present with lots of great questions. If you have any feedback on the session or would like to know more, please contact me.

---

If you found this post interesting or useful, please consider either:

• following me on Twitter;
• subscribing to my email newsletter; or
• subscribing to the RSS feed

---

Fascinating stats out of an article at TheNextWeb this week:

China has become the first country to reach the 900 million mobile phone user milestone after amassing about 11 million mobile phone users in April alone, according to a report by the country’s Ministry of Industry and Information Technology.

The report itself is available in Chinese. Looking at it via Google Translate did back up the numbers quoted in the article (assuming Google Translate was accurate).

By any measurement, 900 million is a staggering number of mobile phone users. TheNextWeb's article goes on to say that India is second worldwide with 811 million mobile phone users followed distantly by the US with 303 million users.

Said another way... China has almost 3 times as many mobile phone users as the US.

Consider, too, that China's population is 1.3 billion... and you have to imagine that like folks here in the US some % of people have multiple mobile phones... so there's obviously plenty of room to grow.

I found this intriguing from the article:

China’s 3G networks, which launched in 2009, are still used only by a small portion of the country’s total mobile phone populace. In April, China had a total of 67 million 3G users, which given the massive mobile subscriber base, is believed to have the potential to exceed the rest of the world.

Fascinating to see the growth there... and if you are providing services or apps to the mobile market, you obviously need to be paying attention to what is going on in China!

---

If you found this post interesting or useful, please consider either:

• following me on Twitter;
• subscribing to my email newsletter; or
• subscribing to the RSS feed

---

Cool news from the good folks at Voxbone yesterday that they have been chosen by the U.N. to implement a new "888" country code for agencies offering disaster relief.

It's not clear from the news release exactly how this would work, but Alec Saunders spoke with Voxbone CEO yesterday and wrote this in a post:

As Ullens explained to me, +888 is a real country code assigned by the ITU to the UN. In cases of humanitarian need, where telephone systems may be inoperable because of natural disaster, the first teams on the ground would deploy a local GSM antenna, connected via satellite to the rest of the world. Then Voxbone would simply forward calls to the +888 country code via satellite to the local GSM station on the ground. The impact is that UN inter-agency, intra-agency, and external users will be able to dial a +888 number assigned to a relief agency from anywhere in the world, and be immediately connected to that relief agency in the field, in whatever country being served. Not only that, the numbers need never change. Relief staff will be reachable on the same numbers in whatever location they are currently assigned.

If this sounds somewhat familiar, Voxbone was the company behind rolling out the iNum country code of +883 back in 2008 (see my video interview with Rod Ullens from that time), which is designed to be a "global" country code that people could call from anywhere. (You can learn more about iNum's recent activity by listening to a January 2011 VUC interview with Voxbone.)

Congrats to Voxbone and the United Nations on this agreement and I look forward to seeing this effort get deployed!

---

If you found this post interesting or useful, please consider either:

• following me on Twitter;
• subscribing to my email newsletter; or
• subscribing to the RSS feed

---

Before writing my story yesterday about Skype killing off Skype For Asterisk, I had reached out to Skype's PR agency to see if there was any statement from Skype. There wasn't at the time, but today they sent over this statement from Jennifer Caukin, a spokeswoman for Skype:

Skype made the decision to retire Skype for Asterisk several months ago, as we have prioritized our focus around implementing the IETF SIP standard in our Skype Connect solution. SIP enjoys the broadest support of any of the available signaling alternatives by business communications equipment vendors, including Digium. By supporting SIP in favor of alternatives, we maximize our resources and continue to reinforce our commitment to delivering Skype on key platforms where we can meet the broadest customer demand.

Being a huge advocate of open standards, I of course applaud Skype's commitment to supporting SIP. However, as I noted two years ago in my detailed review of what was then "Skype For SIP" (and is now "Skype Connect") the fundamental difference between Skype For Asterisk and Skype's SIP offering is this:

Skype For Asterisk is/was two-way - you can make outbound calls TO Skype users.

You can't do that with Skype Connect. You can receive calls from Skype users. You can receive calls to PSTN numbers that come in across the Skype network. You can make outbound calls to PSTN numbers via the Skype network. But you can't make outbound calls to Skype users.

Skype For Asterisk could.

And therein lay much of its power.

Additionally, Skype For Asterisk passed along your Skype presence which could be used for call routing... and also supported Skype chat, too.

Neither of which Skype Connect can do right now.

Skype For Asterisk provided a 2-way, multichannel connection into the Skype cloud in a way that Skype's SIP-based offering simply doesn't at this point in time. (Having said that, of course, SFA is certainly no where near as easy to set up or understand, a point Dave Michels made today.)

However, as Alec Saunders pointed out today, the economics also clearly favor Skype Connect in terms of monthly and per-minute billing versus the low one-time fee of Skype For Asterisk. Tim Panton also indicated that the Skype For Asterisk program had some challenges including the licensing of the product.

While perhaps understandable as a business decision, I know that Skype For Asterisk will be missed by many in the technical community.

Now, let's see what Skype will truly do with their SIP support in the time ahead...

P.S. And while it is of course easy to try to blame someone like Microsoft for this demise, as I noted in my first post, the acquisition deal isn't even remotely done yet...

---

If you found this post interesting or useful, please consider either:

• following me on Twitter;
• subscribing to my email newsletter; or
• subscribing to the RSS feed

---

UPDATE: Skype has issued an official statement about the end of Skype For Asterisk.

---

Word breaking out right now from multiple sources is that Skype has killed off the Skype for Asterisk product developed in conjunction with Digium. In an email sent by Digium product management that was subsequently posted on web sites (including Digium's), the company says (my emphasis added):

Skype for Asterisk was developed by Digium in cooperation with Skype. It includes proprietary software from Skype that allows Asterisk to join the Skype network as a native client. Skype has decided not to renew the agreement that permits us to package this proprietary software. Therefore Skype for Asterisk sales and activations will cease on July 26, 2011.

Skype will apparently continue to support the SFA software for an additional two years until July 26, 2013.

The Promise...

Skype For Asterisk was announced with great fanfare back at Astricon in 2008. I wrote about how it might tear down some of the walls of Skype's proprietary walled garden and posted multiple follow-up posts, including a detailed dive into Asterisk interconnection and how Skype could help with that.

The beautiful part was that Skype For Asterisk allowed two-way communication into the Skype cloud... allowing you to make calls to Skype recipients in ways that you couldn't with other options.

There was certainly great hope within the open source sides of the VOIP world that Skype For Asterisk, a.k.a. "SFA", would go far to connect the world of Skype to the larger world of SIP and IP communications.

In September 2009, Skype announced on their blog that Skype For Asterisk was available to all and there were ongoing posts on other sites about SFA usage. (Including Tim Panton's cool integration of Google Wave, Skype and Asterisk)

Sign of the Microsoft Era?

Now obviously we're not privy to the contract negotiations between Digium and Skype. Perhaps it is simply a case of the two companies not agreeing to terms. Maybe Skype wanted more money... maybe Skype didn't want to do the support for SFA... maybe it didn't hit Skype's revenue targets... maybe it's just cleaning up Skype's various business units before the Microsoft acquisition...

... or maybe it is a sign of the new Microsoft era at Skype, even though the deal has not formally closed. That is certainly the prevailing sentiment on Twitter right now.

Let's hope not... but time will tell.

Fred Posner perhaps stated this concern best in his blog post this afternoon:

Digium announced today the official end of Skype for Asterisk– ending anyone’s dream of a more friendly, open, Skype under Microsoft.

---

UPDATE - May 25, 2011: Tim Panton, a developer who was among the early users of Skype For Asterisk and has been involved in the Asterisk and VoIP community for years, wrote a thoughtful post: The long slow death of Skype for Asterisk. Tim notes the apparent tension between Skype and Digium from the early days of the product and offers the opinion that Skype probably just had no intention to renew the agreement in any event. Tim's post is well worth a read as he is someone who actually worked with the SFA product a great bit.

---

If you found this post interesting or useful, please consider either:

• following me on Twitter;
• subscribing to my email newsletter; or
• subscribing to the RSS feed

---

Want to build text messaging (SMS) applications for a very cheap price? My colleagues over in Voxeo Labs recently reduced the price of sending or receiving SMS messages to only 1 cent per message. (As a bonus, they also came up with the cute graphic I'm using on the right.)

As Adam Kalsey writes in the Tropo blog post, "Announcing New lower SMS pricing" sending an SMS is a trivial matter in Tropo. His language of choice is PHP, so he shows:

<?php
call('+14155551212', array('network' => 'SMS'));
say('d00d, Penny SMS? ');
?>

But you could obviously do something very similar in Python, Ruby, Groovy or JavaScript in Tropo Scripting... or with any language using the Tropo WebAPI.

Personally, I like seeing what I can do to merge SMS with Twitter... back in December I wrote about how to use Tropo to trigger alerts via SMS based on text in Twitter, which is a variation of an app I do actually use for Twitter monitoring. My colleague Justin Dupree also wrote a cool post about using Node.js to build a Twitter IM/SMS service.

Anyway... all of these SMS apps are now able to be deployed in production for only 1 cent per message to and from US numbers. Text messages to numbers outside the US are still the low 2 cents per message. If you'd like to try it out, Tropo is free for developers to build and try apps... you just have to sign up for an account.

P.S. In case it wasn't crystal clear, Tropo is a service of Voxeo, my employer. However, I wouldn't write about it here if I didn't think it was cool!

---

If you found this post interesting or useful, please consider either:

• subscribing to my email newsletter;
• following me on Twitter; or
• subscribing to the RSS feed

---

And so it ends... Skype was always always a fun company to write about because they were always a bit of a rogue.

The scrappy little startup that took on the megacorps of the telecom industry... and won in so many ways... look at their leading % of international calls... or the fact that per-minute call costs are now very clearly being commoditized down to zero...

... the product that came from the grey areas of P2P file sharing and created some truly revolutionary network technology and created a software client that "just worked" like magic from behind any firewall...

... a company from Estonia of all places, which pre-Skype most of us could only vaguely put on a map but now many of us know more about, including that fact that many Estonians have multiple vowels together in their names in ways we don't in English (ex. "Jaanus" and "Liive")...

... a product that was given away for free across multiple operating systems (even if some of us whined about the lack of attention to our chosen platform)...

... a service that just went ahead and implemented SRTP and encrypted call control when all the major telcos were whining about why they couldn't secure calls over IP because of the demands, latency, blah, blah, blah...

... a product that gave most all of us the first experience we ever had with wideband audio - where it felt like you were right there with the other person... and in fact, many of us found we could record podcasts over Skype (even using video)...

... a product that offers the best implementation of persistent group chats I've yet to see... and that allows globally distributed companies and organizations to work so well together across all timezones and regions...

... a product that truly offered a multi-modal/multi-channel user experience... and raised the bar for all the enterprise products that were trying to deliver "Unified Communications" ... Skype was offering the "UC" experience before "UC was even coined as a term...

... a product that became a verb... "just skype me"...

... and a product that had enough of a sense of humor - and roguishness - to implement emoticons like these:

(banghead)
(bandit)
(moon)
(finger)

(Tip: Don't type the last two in a chat window where people might be offended... and methinks the first one might come in VERY handy with meetings between Skypers and their new masters. :-) )

I started using Skype back in 2004 or so when it was still very early days. In 2005 I started using it to record the Blue Box podcast and to contribute to the For Immediate Release podcast. I was at Mitel in those days in the product management team and I remember back then talking to my peers about how Skype "just worked" through firewalls and how the wideband audio was outstanding.

Since that time, Skype has become part of the DNA of my personal IT infrastructure... I use it extensively for my own communication... and I use it very extensively within Voxeo where it is our Unified Communications tool of choice right now (for reasons I wrote about before). If there's one tool that's always open on my computers, it is Skype.

And Skype is probably the one company/product/service I've written about the MOST on this Disruptive Telephony blog since I launched this blog back at the beginning of 2006. Largely because Skype has been one of the single most disruptive influences on our industry. Sure, many of my posts have been critical, particularly of the new Skype 5.0 for Mac, but they have been critical out of my passion for the product - and of wanting it to be so much better.

And now we who have been raging Skype fanboys confront a new reality...

Microsoft acquiring Skype!

Goodbye, bandits...

... you are no longer fighting "against THE MAN"... you now are "THE MAN"! It's hard to get much bigger of a megacorp than Microsoft!

I do actually think the acquisition is good for Skype in a number of ways:

• Financial stability - Being part of as large an organization as Microsoft will finally give Skype a bit of room to really figure out their monetization play beyond what they've done so far.
  
  
• Enterprise credibility - Skype has struggled for years to get any kind of real credibility within enterprises. Many have completely blocked Skype and many have no understanding of what it can do. Microsoft completely gets the enterprise... in some ways they own the enterprise... so this can only help Skype grow in business usage... and that's a GOOD thing for those of us who already use it that way.
  
  
• Security - Whatever you want to say about Microsoft, they do understand how to communicate about security, something Skype is lacking. I can only hope that MS will now bring a higher level of communication to this aspect of Skype.
  
  
• Synergy - I'm not a fan of that word... but it makes sense here. Think of the other products Microsoft makes... what if you could get Skype integration into Microsoft Office? what if Skype and Lync could play nice together to connect the whole Skype world to the enterprise UC offering of Lync? what about making Kinect work with Skype? There are a lot of cool things that could be done. (And, of course, we'll undoubtedly see Skype on Windows Phone 7, etc.)
  
  
• Customer Support - And hey, maybe Microsoft can help Skype get a proper customer support organization so that I am no longer their corporate receptionist!

I worry, of course, about the acquisition and what it will do to the tool I use so much. Those of us on NON-Microsoft platforms have complained for years about Skype's lack of attention to our Skype clients. The Mac OS X client has at least received more attention and near-parity with the Windows client (even though many may not be fans of the new UI)... while the Linux client has languished. In the new world of Microsoft, will those other platforms really receive much attention? (despite the requisite platitudes mouthed in the news conferences and stated in the news releases)

And how about the iPad client for Skype that has been rumored? Will that ever see the light of day?

Will Skype truly be able to function independently as a "disruptor of telecom" now that it is part of such a large corporation?

The answers remain to be seen over the next months as the deal moves toward closing. I have many friends who work at Skype and I do wish them all the best through this whole transition... I wish them well seeing how long they can hang on to their Mac laptops and iPhones ;-) ...

... and I wish them much ":-D" and hope they don't experience too much "(banghead)".

Welcome to the new era of Skype!

---

If you found this post interesting or useful, please consider either:

• following me on Twitter;
• subscribing to my email newsletter; or
• subscribing to the RSS feed

---

Today, Skype issued a new Skype 5.1 for Mac "hotfix" for more "security issues". The problem?

We don't know what those "security issues" are?

We don't know, for instance:

• Are they related to the remote exploit that was publicly disclosed on Friday? Or to related attacks on the same theme? (as discussed on SecNiche today)
  
  
• What is the severity of these "security issues"? Remote compromise? Denial of service? What?
  
  
• What is the priority that we should place on getting this update in place? Is it a "UPDATE NOW!" kind of priority? or a "Update when you can"?
  
  
• What kind of mitigating circumstances are there for these security fixes?
  
  
• Are there any workarounds that could be put in place at a network layer (or any other layer) to prevent attacks on individual systems? (i.e. as a safety measure until the individual clients are all updated?)

We need to know this kind of information.

Particularly as Skype looks to try to move more into the "business" or "enterprise" market space, this level of NON-disclosure is unacceptable.

In comparison, take a look at any of the recent Microsoft security bulletins, like, oh, this one, and you can see the kind of information that a security professional is looking for. Now, sure, Skype doesn't necessarily need to go to the level of detail that Microsoft has... but something more than just "Security issues" is necessary.

Letting Us Know?

Additionally, why again is Skype issuing a "hotfix for security issues" without telling anyone about it? Just like they did back in April?

Once again the hotfix is mentioned only on Skype's Garage blog. Nothing on Twitter on either @skype or @skypesecurity. Nothing on the Mac blog (although they finally updated that blog about the issue on Friday). Nothing on the Security blog.

And once again, the "Check for Updates..." feature in Skype 5.1 does not show a new update available:

So apparently the only way we can get this hotfix for unknown "security issues" is to go to Skype's main download site and download it!

C'mon Skype! You can do better than this!

Recommendations for Skype

So rather than just rant, let me offer these suggestions to Skype for what they should do when they have a "security hotfix":

1. Provide More Info - Saying it is simply "security issues" doesn't cut it. We need to know things like:

• what is the severity of the security issue? if an attacker could compromise the Skype client, what could he or she do?
• how easy is it for an attacker to execute an attack? can the attacker be remote? do they have to be a contact?
• are there mitigating circumstances that would make an attack less likely?
• are there workarounds that could be put in place at a larger level than just the client?
• what is the potential exposure of NOT upgrading?

Skype should look seriously at tools like the Common Vulnerability Scoring System (CVSS) used by many software/hardware providers (see also the CVSS FAQ). And while perhaps the full CVSS process may be too heavy for a smaller organization like Skype, the document at least gives insight into the type of questions security professionals want.

Similarly, the Cisco Security Vulnerability Policy and associated links is worth a read. Again, it may be too heavy a system for a smaller company like Skype... but then again perhaps in all of the new hires Skype is looking to do they could hire some folks specifically to work on this process.

2. Let People Know About The Security Hotfix - Skype has a "security" blog and specific @skypesecurity Twitter account. They should be used to communicate the availability of security hotfixes. Security professionals associated with companies using Skype could then know that they need to subscribe/follow those sites to know when there are new issues needing attention.

3. Make The Security Hotfix EASY To Obtain - Make the "Check for Updates..." process work from the beginning. The blog post or other update should be able to state that Skype users can simply go up to "Check for Update..." to download/install the new version. Perhaps this means that the blog post has to be delayed until the new version is uploaded to whatever update servers Skype has... but so what? Wait a bit - or improve the internal process so that these uploads happen faster. The end result will be that MORE people will update sooner, which, I would think, should be the goal.

Those three steps would help people feel a whole lot better about Skype's concern for security - and would also make sure that Skype users are better protected. It would also help Skype's reputation, brand, etc.

And it would stop people like me from writing blog posts like this. ;-)

Seriously, Skype... security matters... and even more, communication about security matters. We all know that with any system there are security issues... no system is perfect and attackers will always try to compromise systems. We get that. It is how you react and communicate about those security issues that is so incredibly critical.

Interesting piece on the "This Is My Next" site last night about Sprint and AT&T taking to print ads to ratchet up their fight over AT&T's proposed acquisition of T-Mobile:

Sprint and AT&T take merger battle to print: ‘Competition is American, Competition plays fair’

The issue is, of course, that there is a U.S. Congressional hearing on the proposed acquisition this coming Wednesday in D.C. Sprint obviously is opposed to the merger and is pulling no punches in saying exactly what it feels about the proposed merger. I do admit to enjoying one line in their ad:

Competition keeps us all from returning to a Ma Bell-like, sorry-but-you-have-no-choice past.

This definitely IS a concern for all of us as the companies in the mobile space continue to consolidate.

AT&T of course counters with how this will be the best for the country, how it will foster innovation, bring about a stronger network, etc.

It will be interesting to see how this all plays out. For me personally, the proposed merger offers very little. AT&T has poor coverage where I live (Keene, NH) and T-Mobile has even worse coverage of the area... so I don't expect that we'd see any improved coverage here.

On a macro level, the consolidation is concerning... it will be interesting to see what happens in DC this week.

---

If you found this post interesting or useful, please consider either:

• subscribing to my email newsletter;
• following me on Twitter; or
• subscribing to the RSS feed

---

What is the point in issuing a hotfix that addresses a security vulnerability... if you don't tell anyone that the hotfix is available?

Tonight Skype published a blog post saying that back on April 14th they released a "hotfix" for this problem in Skype for Mac version 5.1.0.922. That's great... it's good that the fix is out there, but...

how were we Mac users supposed to know about it?

Hmmm... let's see... Could we find out about the Skype for Mac hotfix...

• ... using the "Check for Updates" feature? Nope, doesn't work for me. Maybe it works for others out there, but not for me.
  
  
• ... from the Skype for Mac Release Notes page? Nope, that page STILL hasn't been updated, three weeks later, to indicate that a new version is out. Nothing on there at all about 5.1.0.922.
  
  
• ... from Skype's Twitter account? Nope, no mention of a hotfix back on April 15th, although they did talk about the fact that Skype was mentioned twice on 30 Rock and that there was Skype call on the Rachael Ray show.
  
  
• ... from Skype's skypesecurity Twitter account? Nope, no mention.
  
  
• ... on Skype's Mac blog? Nope. Last post there was April 14th, the day before this hotfix came out.

No mention of a "hotfix" for Skype 5.1 for Mac OS X on any of those communication vehicles.

In The Garage?

Ah, but wait... Skype did mention the hotfix, over on the Skype Garage blog, which is all about "Experiments and pre-releases". Here's a screen capture of the notice:

So they posted news of this important "hotfix" on a blog for "experiments and pre-releases", didn't tweet it out, and didn't update release notes or put it anywhere regular Mac users would find it.

And a curious thing...

THERE IS NO MENTION OF A SECURITY ISSUE!

Nothing whatsoever.

I am guessing that "Minor bug fixes" must include this security issue. And maybe the fix was simply a "minor bug fix". Maybe someone forgot to do bounds checking on some part of the chat system and as a result a buffer overflow occurred. Maybe it was some simple little fix.

But labeling it in this way gives absolutely no incentive for anyone to upgrade. Even had I seen this notice, I probably wouldn't have bothered to upgrade (unless the Check for Updates had worked). There is no urgency on this.

And... call me crazy, perhaps, but I guess I don't consider a security issue where someone could send me a chat message and gain complete control of my Mac to be a "minor bug"!

Did Skype not think that at some point the security researcher would publish his findings?

And why in the world didn't Skype communicate with this security researcher to tell him that they had fixed the bug he found and would be issuing (in fact had issued a fix)? Now maybe they thought they did... but whatever the situation was, he didn't know and out of frustration published his post today.

It Didn't Have To Be This Way

In other words...

... everything that happened today was COMPLETELY PREVENTABLE had Skype only communicated more.

Skype would not have had the negative coverage in ZDNet, CNet, ComputerWorld, Mashable, TheNextWeb, my own blog ... and many other sites, let alone all the tweeting and retweeting.

Instead of having all this negative activity, they could have jointly come out with a statement with the security researcher or at least crediting the researcher. It would have shown that Skype was serious about security and protecting us - and also serious about working with the security community.

And even after the story broke early today, Skype could have tweeted out a response... or posted the blog post earlier... they could have cut off all the discussions and concerns simply by being more transparent and providing some information - or even just communicating that they were in the process of getting an answer.

Instead, there is only one word to summarize Skype's communications:

FAIL!

The thing that kills me is that Skype employs a ton of truly brilliant engineers. They have on their payroll a couple of the leading SIP/VoIP security researchers that are out there. And these guys know how the security community works.

Knowing some of those folks personally, I have to think that the process broke down somewhere in the external communications side of the house. Because of the IPO and the "silent period", I know that people at Skype are ultra-cautious about saying anything. And maybe that's part of it, but in this case, it truly failed them.

Too bad... because none of all this communication today had to happen.

---

If you found this post interesting or useful, please consider either:

• subscribing to my email newsletter;
• following me on Twitter; or
• subscribing to the RSS feed

---