Posts categorized "Security"

Brief interview in 101st Telecom Junkies podcast episode to update VoIP Fraud/Hacker case

telecomjunkies.pngEarlier this week I had a fun moment joining a cast of characters to help the Telecom Junkies podcast celebrate crossing over 100 episodes. In the 101st episode, now available for listening, host Jessica Gdowski invited 7 of her previous guests back to give brief updates. So I joined Martha Buyer, Mark Fletcher, Hank Levine, John Lyon, Dave Spofford, and Allan Sulkin for the ~20 minute show.

In my case, I've been a guest on the show three times previously, most notably in August 2007 with "Interview with a VoIP Hacker" where we interviewed Robert Moore shortly before he was heading to prison.

Moore was part of the VoIP fraud case masterminded by Edwin Pena and discussed on another Telecom Junkies episode back in July 2006. I was also on another Junkies episode in November 2007 about VLAN Hopping.

In this 101st episode recorded this week I gave a brief update on the Pena/Moore case (Pena recently pled guilty) and then talked about VoIP and Unified Communication security issues. It was literally just a few minutes, but I was glad to join briefly and help Telecom Junkies celebrate. 100 podcast episodes is indeed a milestone to celebrate! Congrats!


If you found this post interesting or useful, please consider either subscribing to the RSS feed or following me on Twitter or identi.ca.



Using voice for security and biometrics - all out in the Voxeo cloud

voxeologohoriz.pngWhy shouldn't we be able to use our "voice" as a way to securely authenticate into systems? After all, it's one of the few "biometrics" that are unique to each of us... along with fingerprints, retina scans, etc. What about accuracy and "replay" attacks? After all, some of us remember "My voice is my password" from back in the movie Sneakers...

"Aren't voice biometrics hard to implement?" ... "Are they really secure?"

Today, over on Voxeo's blogs, we announced a new voice biometrics initiative with four partners designed to answer these questions and show developers exactly how easy it is to add voice biometrics to voice applications. (also called "voice verification" or "voice authentication", although those are both subsets of the larger "voice biometrics")

The idea is simple. Build a VoiceXML application in Voxeo's hosted cloud and then follow the instructions on the "How To" docs linked off of www.voxeo.com/biometrics to add voice biometrics to your application. You can use an existing VoiceXML application or you can create a new one. Code samples are available. (and it's free to create an account if you don't already have one.)

The beauty of it is that all of the services are out in the cloud... so it's very easy to simply try it out.

Please check out our announcement page to watch video interviews, read relevant blog posts and learn more about how you can get started today.


If you found this post interesting or useful, please consider either subscribing to the RSS feed or following me on Twitter or identi.ca.



Speaking at ITEXPO / Cloud Communications Summit Jan 20-22 in Miami...

itexpo.jpgOn Monday I'm heading down to Voxeo's corporate headquarters in Orlando, FL, but the week after that I'll be heading down to ITEXPO in Miami Beach, FL, where several of us from Voxeo will be speaking

Ironically, I won't be speaking actually at the formal "ITEXPO", but rather at the Ingate SIP Trunking Seminars and then at a new "Cloud Communications Summit" coordinated by Thomas Howe. Somehow my sessions wound up back-to-back... I'm just hoping the rooms aren't too far apart!

Voxeo will also have a couple of exciting announcements, so it should be a great event. Here's my speaking schedule:

Wednesday, January 20, 2010

11:30-12:00, Ingate SIP Trunking Seminars, Dan York

“The Enterprise Edge and Security”

Representing the VoIP Security Alliance (VOIPSA), Dan York will give an overview of security concerns related to Unified Communications and VoIP with a focus on SIP trunking.

12:00-1:30pm, The Cloud Communications Summit, Dan York

“Cloud Telephony for the Enterprise”

This session discusses tradeoffs in deploying communications applications behind the firewall, with a hosted partner or through elastic mechanisms such as Amazon’s EC2.

Other speakers planned for this session are Troy Davis, CEO of CloudVox, and Evan Cooke, Co-Founder and CTO of Twilio. Thomas Howe will moderate the session.

If you are going to be at ITEXPO, drop me a line. I'll have some of my podcasting gear and other equipment, so I intend to be producing some content from the show floor. I'll of course be tweeting, both as @danyork and @voxeo

See (some of) you there..


If you found this post interesting or useful, please consider either subscribing to the RSS feed or following me on Twitter or identi.ca.



I'll be out at ITEXPO this week in L.A.

itexpo-logo-1-1.jpgIf any of you are heading out to ITEXPO tomorrow through Thursday in Los Angeles, I'll be there on Wednesday. As I note on a Voxeo events page, I'll be speaking twice, pretty much back to back:

9:30 – 10:15am, Exploring Applications in the Cloud

11:00 – 11:45am, SIP Trunking and Security

The first is a panel discussion that should be quite interesting. The second is another version of the VOIP / SIP Security talk that I've been giving at Ingate's SIP Trunking Seminars for the past few years (and that always seems to be popular). More details and session abstracts on the events page I set up.

I'm looking forward to catching up with many friends at the show, including Andy Abramson, who I haven't seen for a while.

If you will be out there, please do say hello.


If you found this post interesting or useful, please consider either subscribing to the RSS feed or following me on Twitter or identi.ca.



Heading down to ITEXPO in Miami on Feb 2-4...

ITEXPO-East-logo-1.jpgWill you be down in Miami at ITEXPO February 2-4? If so, please feel free to drop me a note and perhaps we can connect somewhere there.

I'll be arriving Monday afternoon and then on Tuesday, February 3rd, I'll be donning my VOIPSA VoIP Security hat to participate in a SIP Trunking Workshop sponsored by Ingate Systems on "SIP Trunking And Security". These workshops are always fun to do and as they are free to anyone attending ITEXPO (even just with an exhibit pass), they are usually well-attended. I'll be bringing my recording gear, too, and the talk will eventually go out in my Blue Box Podcast feed so you will be able to hear it later.

Speaking of recording... I'll have my video gear, too, and so if you have some new product or service in the "emerging communications" space that you think I might be interested in recording for my "Emerging Tech Talk" video podcast... well... pitch me. :-) I know I'll be recording a number of videos down there and I would certainly consider doing some more.

Wednesday evening I'll be driving back to Orlando and in Voxeo's office on Thursday and Friday so if you're in the Orlando area, please feel free to let me know as well.


If you found this post interesting or useful, please consider either subscribing to the RSS feed or following me on Twitter or identi.ca.


Technorati Tags: , , , ,


Is the new ".tel" domain more than just a pretty face on top of DNS?

dottellogo.jpgIs the new ".tel" domain launching today more than just a pretty web interface to DNS? Is it something really unique? Is it a new service that couldn't be easily replicated elsewhere?

In case you haven't been following the subject, a company called Telnic has launched a new top-level DNS domain ".tel" today. Today, December 3rd, is the launch of the "Sunrise" period where companies can (for a high price) obtain the ".tel" domain associated with their trademark.

The point of ".tel", though, is to not just be "yet-another-top-level-domain" but rather to be a global directory of information - with users/companies having control of their own information.

With the first part of the launch happening today there has been predictably been a good bit of coverage in the blogosphere. Danielle Belopotosky had a great piece up on the NY Times Bits blog, Techmeme has a flow of links to stories and I am sure more will be appearing.

I would, though, suggest people wanting to understand the goals of the service go back and listen to our Squawk Box conversation on September 9th with Telnic's Justin Hayward (www.justin.tel). The part about .tel starts at about the 17:50 minute mark of the podcast and literally did go on for about forty minutes. We put poor Justin through a bit of a wringer as he may not have realized he was walking into a conference call that included a bunch of DNS geeks. He presented his vision of how .tel would work and answered the many questions we threw at him. You can also watch the video of Telnic's DEMO Presentation where Justin is obviously pitching the .tel domain to the DEMO audience. (And yes, the Justin in the video is the same one who was on Squawk Box.)

While my friend Jonathan Jensen is quite enthusiastic about the .tel domain, I remain a bit troubled by a few aspects of it. First, though, let's talk about how it works...


HOW .TEL WORKS

One of the admittedly cool aspects of the ".tel" domain is it uses the Domain Name System (DNS) to store all of your contact information. I've been working with DNS for probably 15+ years now and have always viewed it as a rather remarkable creation. Ultimately, DNS is simply a massively distributed database system that allows for the easy querying of information on a global scale. I could go on at length about it and always enjoyed the DNS sections of the TCP/IP classes I used to teach because there is so much that you can do with tools like "dig" (or the previous "nslookup" tool) that are interesting (and fun).

But anyway... the reality is that today in general we pretty much only use DNS as a storage mechanism for mapping hostnames to IP addresses. When you entered "www.disruptivetelephony.com" in your browser window or clicked on a link to a URL that had that hostname in it, your local DNS resolver went off and queried DNS servers to find out the IP address for the web server hosting this site. Your browser then sent a HTTP request to that IP address asking for the appropriate page. That's what we primarily use DNS for.

But why not stick other information in the DNS database?

That's the central premise of ".tel". Why not put contact information, favorite URLs, etc. in there?

danyork.vip.tel.jpgNow you have always been able to do this (a point I made in the Squawk Box call). There are "TXT" records that you can insert related to your domain. There are "NAPTR" records that are used in ENUM systems to do lookups on phone numbers (they have other uses as well). On one level, there is nothing the Telnic folks are doing that you cannot do already for your own domain (as long as you can edit the DNS records).

Except that Telnic has put up a pretty web interface that lets you easily edit all of these records. No special knowledge required.

I joined Telnic's "beta" program and you can see in the image to the right what my danyork.vip.tel page looks like from the public point-of-view. You can see that I have a telephone number, email addresses, Skype address, and other pieces of information. There's really no limit to the type of information I can put in here. All just various types of numbers, URLs, keywords and other pointers.

Now let's take a look at how this looks in DNS. Here is part of the output of the 'dig' command run against 'danyork.vip.tel':

dyork$ dig @a.dns.vip.tel danyork.vip.tel any
;; ANSWER SECTION:
danyork.vip.tel.        86400   IN      A       195.253.3.235
danyork.vip.tel.        60      IN      TXT     ".tkw" "1" "pa" "" "a1" "52 Probate Street" "tc" "Keene" "sp" "NH" "pc" "03431" "c" "USA"
danyork.vip.tel.        60      IN      TXT     ".tsm" "1" "pddx" "1"
danyork.vip.tel.        60      IN      TXT     "Dan York,  "
danyork.vip.tel.        60      IN      TXT     ".tkw" "1" "bi" "" "o" "Voxeo" "d" "Office of the CTO" "jt" "Director of Emerging Communication Technology"
danyork.vip.tel.        60      IN      LOC     51 31 12.000 N 0 7 48.000 W 0.00m 10m 2m 2m
danyork.vip.tel.        60      IN      NAPTR   100 103 "u" "E2U+x-voice:skype" "!^.*$!skype:danyork!" .
danyork.vip.tel.        60      IN      NAPTR   100 104 "u" "E2U+web:http+x-lbl:Blog" "!^.*$!http://www.disruptivetelephony.com/!" .
danyork.vip.tel.        60      IN      NAPTR   100 105 "u" "E2U+web:http+x-lbl:Employer" "!^.*$!http://www.voxeo.com/!" .
danyork.vip.tel.        60      IN      NAPTR   100 106 "u" "E2U+web:http+x-lbl:Blogs" "!^.*$!http://blogs.voxeo.com/!" .
danyork.vip.tel.        60      IN      NAPTR   100 100 "u" "E2U+voice:tel+x-lbl:Mobile" "!^.*$!tel:+1-407-967-8424!" .
danyork.vip.tel.        60      IN      NAPTR   100 101 "u" "E2U+email:mailto" "!^.*$!mailto:[email protected]!" .
danyork.vip.tel.        60      IN      NAPTR   100 102 "u" "E2U+email:mailto" "!^.*$!mailto:[email protected]!" .
danyork.vip.tel.        3600    IN      NS      c.dns.vip.tel.
danyork.vip.tel.        3600    IN      NS      d.dns.vip.tel.
danyork.vip.tel.        3600    IN      NS      d.dns.vip.tel.
danyork.vip.tel.        3600    IN      NS      a.dns.vip.tel.
danyork.vip.tel.        3600    IN      NS      a.dns.vip.tel.
danyork.vip.tel.        3600    IN      NS      b.dns.vip.tel.
danyork.vip.tel.        3600    IN      NS      c.dns.vip.tel.
danyork.vip.tel.        3600    IN      NS      b.dns.vip.tel.
danyork.vip.tel.        3600    IN      SOA     stealth.nic.tel. hostmaster.nic.tel. 14 10800 3600 2592000 600

You can see in here various TXT records corresponding to information I entered, a LOC record corresponding to where I was listed as being and NAPTR records pointing to various URLs, email addresses and phone numbers.

Now here's a key point - I entered all this information and in theory I control who sees all that information.

All of this information is publicly available because I chose that it would be publicly available. As Justin stated in our Squawk Box episode, users will have the ability to make some information private and available only to "friends" in some sort of social networking way. I say "in theory" only because in the administrative interface they made available to beta participants, I see no way of actually restricting the visibility of the data. Perhaps I missed something, but I'll take them on their word that they will deliver this functionality.

[UPDATE: Telnic has a page on their developer site about privacy and their friending mechanism.]

danyork.vip.tel-admin.jpgThe admin interface itself is pretty straightforward. You simply add different records for contact information. You can re-order the pieces of information if you want them to appear in a different order. You can enable/disable pieces of information... delete them, etc.

You can also create "folders", which are effectively DNS subdomains. This, to me, is perhaps one of the more intriguing aspects because now I can create domains like "blogs.danyork.vip.tel" and "podcasts.danyork.vip.tel" that show a subset of my overall contact data. I did have to enter it twice if I wanted it to appear in both places, but still... it's a nice feature to have.

All done very simply and easily through Telnic's web interface.

I would note, too, that because .tel is a "sponsored top-level-domain" (see Telnic's contract with ICANN), Telnic has more control over it than there is over a typical TLD. For instance, even though you purchase a .tel domain, you are NOT able to change the "A" record which points a domain to an IP address. What this means is that a ".tel" domain can never point to a website directly. It will always point to Telnic's web interface (where you could, if you wished, simply have one entry that pointed to your web interface). This type of restriction is not true of general TLDs.


THE ADVANTAGE OF USING DNS

The beautiful thing about using DNS is that it is fast and that it can be queried from basically any kind of client in any kind of programming language. DNS libraries exist out there for every language ever used in network-connected applications. In the video I referenced earlier, Justin shows an iPhone app that is able to get information from the DNS system far quicker than it probably ever would from standard web queries. This is what DNS was created for.

To help in that, the Telnic folks have created a Developer area and provided some sample applications (including the iPhone one).


BUT COULDN'T ANYONE ELSE DO THIS?

In a word...

Yes

There is absolutely nothing stopping me, you, or anyone else from creating a service based on one of our domains that provided a pretty web interface that allowed users to populate DNS with such contact information. I could set up "dir.disruptivetelephony.com", build a web UI, write some code to update DNS and start selling subdomains off of that domain. Justin could have "justin.dir.disruptivetelephony.com"... he could control it, update it, etc.

In fact, there are very few of the arguments I've heard from the Telnic folks that couldn't be equally addressed by someone else on their own domain. However, the Telnic folks do have a couple of advantages going for them:

SIMPLICITY - It's hard to argue with the simplicity of "yourname.tel". Easy to give out. Easy to type in. Easy to use. Beats by a mile the subdomain system I mentioned above.

EXISTING TLD INFRASTRUCTURE - Because they are a top-level-domain, they can make use of all the existing registrar infrastructure that exists to sell domain names. GoDaddy, DomainDirect, DomainPeople and every other domain registrar under the planet can sell these domain names. There's an existing and at this point very well understood process for registering names, paying for them, etc. If I were to set up my own directory system, I'd have to get people to sell the domains for me or sell them myself. I don't have an entire layer of domain sales companies ready to get out there and sell my domains.

THE SPONSORED-TLD RESTRICTIONS - As I mentioned earlier, by virtue of being a "sponsored TLD" the .tel domain has some additional restrictions set up by Telnic specifically around the inability of a domain owner to change the A record and redirect the .tel domain to a website. If you want a ".tel" domain, you have to agree to the terms of use - it's that simple. Proponents of any other TLD could enter into this directory game and aim to compete with Telnic, but they would have to deal with the fact that their TLDs are not locked into pointing to one location for the website.

So the answer is ultimately - anyone could really do this, but the Telnic folks have set themselves up nicely with some advantages.


MY PROBLEMS WITH .TEL

So what are my problems with the .tel domain? Well, I guess I have two more technical issues and then some more fundamental issues. First, the technical issues:

BEAUTIFUL TARGET FOR SPAMMERS - The wonderful advantage of DNS is that it is simple and easy for anyone to query. That includes, of course, spammers. So if .tel is successful and people load up the .tel DNS servers with tons of public contact information, what in the world will stop spammers from harvesting all that public information out of the DNS trees? You can see above that it was trivial for me to get all the information associated with "danyork.vip.tel" out of DNS. It's equally trivial for me to write a little script that iterates through potential .tel DNS names, grabs all the info, finds all records that include "mailto" and then emails those people. Or searches on "voice" and calls them....

Unfortunately there's nothing Telnic can really do about this.

Sure, they can throttle requests from certain sources when those sources launch a zillion requests... and then the spammers will just move to using distributed botnets. There's an inherent challenge in putting contact information out in publicly available systems like DNS - anyone can get it.

This is a large part of what has effectively killed any kind of public ENUM systems. ENUM had the same basic idea. Store phone numbers in DNS so that they and their corresponding SIP addresses could be retrieved. Wonderful way to map phone numbers to SIP addresses so that you can bypass the PSTN. However, spammers can do the same thing. One of the tools on the VOIPSA VoIP Security tools list (I forget which one) will do exactly this - issue ENUM queries into DNS and then make SIP calls to any SIP addresses found. Public ENUM is probably irrevocably dead because of this. (ENUM, however, is thriving inside of service provider/carrier networks, though.)

I've seen responses from folks at Telnic about the spam question (such as this one) focusing on the fact that you can choose who sees what and that the private information is protected by encryption. Which is great... but misses the point. The largest reason I can see to use a .tel domain is to get your information out publicly... so why would I then want to hide it?

SINGLE POINT OF FAILURE - The same strength that Telnic has in not being able to modify the DNS A record is also a weakness. Everything goes back to Telnic. I am sure they have spent a huge amount of time on making their system scalable, reliable, etc. But still... if someone out there mounts a large Distributed Denial-of-Service (DDoS) attack from some botnet... the site and service could be taken offline. Now this is true of most all other emerging services today, so Telnic is not alone in this. But it does cause me some concern. (I guess the one counter argument to this is that presumably local registrars would be able to provide authoritative DNS servers for a given .tel domain. In that case it is not all dependent upon Telnic's servers - although you still would be for authority for the root of the .tel domain.)

Those are my technical concerns.

On a more fundamental level, I have some other concerns:

DIRECTORY INFO IN THE HANDS OF A SINGLE COMPANY - It does admittedly bother me to have a single company behind this .tel domain. Yes, I know, everyone enters their own information and it's all stored in the distributed DNS database. I also realize that for someone to build out their website and infrastructure, etc., it takes money... and the expectation that there will be money coming in at the end... that there will be a return on investment.

Don't get me wrong... the folks at Telnic seem to be great and decent folks. They may be. But I just have fundamental issues when a service that would like to be part of our core Internet infrastructure (as our global directory) is owned by a single company.

Those of us who remember the early days of the Internet remember how much we all chafed against Network Solutions' monopoly on domain name registrations (and their ability to charge more and more). We remember the walled gardens of CompuServe, AOL, GENIE, Prodigy, etc. I am still concerned about the new walled gardens of Facebook, MySpace and even Twitter. I am concerned about Skype's walled garden as it becomes increasingly central.

I'm a security guy. I understand the value in distributed systems and diverse environments (while understanding there are also corresponding risks) in ensuring reliability and availability.

The folks at Telnic may be great people... today. But if the service takes off and then they are acquired by someone else who isn't so friendly... what then?

I guess I'd be far more excited and enthusiastic if the global ".tel directory" was being promoted by some nonprofit consortium or academic-led group... (But then again, would they have been as incented to create it in the first place?)

telniclaunchinfo.jpgDID IT NEED TO BE SUCH A BLATANT MONEY-GRAB? - Maybe I am just a bit put off, too, by the rather blatant language the Telnic folks use around their launch information. Today is the "Sunrise" period (no real problem with that term) where trademark owners can apply for their name and pay a very high fee to do so. February 3 marks the "Landrush" period (yes, I don't like this one) when anyone can register a .tel domain for a "premium" price and then finally March 24, 2009, represents the general availability when anyone can register a domain at "regular" prices.

On the one hand, I applaud Telnic on their transparency - it undoubtedly will be a "landrush" on February 3 as everyone who doesn't have a trademark but wants in on a new TLD will rush to do so. And there will be X number of domain squatters who will be looking to register any and all domains that were not grabbed by their prominent owners in .com/.net/.org in an attempt to then try to get those folks to buy the domain names from the squatters. It probably will generate a good bit of revenue for the domain registrars... for Telnic... and for their investors. I just guess I wish it weren't so blatant - I guess the whole "landrush" thing bothers me most... just make the domain available at a price for all of us. Ah, well - I can see why they did it.

DO WE REALLY NEED ANOTHER DIRECTORY? - This is not so much of a problem as a general question... I think it's clear to me that we are still trying to sort out how people best find our contact information on the Internet. We've been trying this since we first started moving online and there have been any number of attempts before. (Recall that Yahoo got its start as a directory of web sites in the then very tiny World Wide Web.) We're still not there. Sites like Facebook would like to be that site for us. So would LinkedIn and Plaxo and a zillion others. Plus there's any number of other startups. Plus you can always take out your own domain name and set that up (as I have done). Will Telnic and the .tel folks succeed where others haven't? I don't know.


SO WILL I BUY ONE?

So at the end of the day, would I buy a ".tel" domain? I don't know. I think it's an interesting idea and the reality is that yes, I probably would buy "danyork.tel" if by some miracle it is actually available in March... mostly just because I own most of the other "danyork.*" domains already. There are, of course, many other "Dan York"s out there and so perhaps one of them will get this one. Or perhaps some domain squatter will buy that domain after reading of my interest here in the hopes that he/she could milk more money out of me. (Sorry, but NO!) I just don't see that the value shouts out to me enough that I might be willing to join into the "landrush" and pay a premium price.

But even if I bought it, would I use it? I don't know. The potential for spam still seems high to me. We'll have to see what they do to combat it.


THE THORNY PROBLEM

In the end, the problem of locating contact information out on the Internet remains a challenging issue... where do you find the best contact info for someone? a Google search? Facebook? LinkedIn? the person's web site? Some other social networking site? Skype's directory?

Telnic's launch of .tel throws another hat into the ring... why not store all that info in DNS? Will .tel be used? Will people accept a new TLD? (Or are they getting fatigued of new TLDs?) Can the Telnic folks address the spam-harvesting issues that have basically killed public ENUM? Or are those inherent problems of using a public system like DNS? Will enough people use it to make it be a valuable database?

I commend the folks at Telnic for stepping into the ring and offering a solution - and I'll certainly be joining in watching what happens.

What do you think? Would you buy one? Or do you think there are other/better solutions?


If you enjoyed this post, please consider either subscribing via RSS or following me on Twitter or identi.ca.

Technorati Tags: , , , , , ,


"Discover Best Practices for Secure Unified Communications" - a webinar I'll be giving tomorrow

Cross-posted from Voice of VoIPSA:

What are you doing tomorrow, Tuesday, October 28, 2008, at 1pm US Eastern time? If you are around, you are welcome to join a free webinar I'll be giving on "Best Practices for Secure Unified Communications".

From time-to-time, you'll notice that those of us working with VOIPSA will take part in seminars/webinars offered by members of VOIPSA and we definitely enjoy doing so. For instance, as readers of the blog know, I've been speaking at Ingate's SIP Trunking seminars for quite some time now. We're generally open to speaking at anyone's event or webinar - as long as they understand that there is no endorsement of the company/vendors's products/services and that we are there to provide an industry-neutral point-of-view.

mitel-logo.jpgSo tomorrow at 1pm US Eastern I'll be speaking as part of Mitel's "Discovery Series" where they invite in guest speakers from the industry. You can join the webinar for free at Mitel's site. They asked me to speak about the threats/risks to voice over IP and unified communications and talk about best practices for protecting them. Here's the abstract:

Discover Best Practices for Secure Unified Communications

Presented by: Dan York, Voice Over IP Security Alliance (VOIPSA) October 28, 2008, 1:00 PM EDT / 10:00 AM PDT / 5:00PM GMT

With the emergence of Voice-over-IP and Unified Communications, companies now have incredible opportunities to provide a rich communication experience to employees located in a single location or distributed globally. But how does a company do this in a secure manner? How is the confidentiality and integrity of corporate conversations protected? How can a company be sure that its IP phone systems and IP trunks will always be available for usage? What are the issues around protecting SIP trunks or using hosted services?

In this webinar, VoIP Security Alliance Best Practices Chair Dan York will discuss the threats and risks to Voice-over-IP, the tools that are out to test (or attack) VoIP system and solutions and best practices for protecting your systems. He'll also address concerns around SIP trunking, Spam for Internet Telephony (SPIT) and the move to push voice out into hosted/cloud computing environments and the associated concerns. Come prepared to learn about securing your VoIP system, to ask questions about your deployments and to leave with tips and resources to protect and defend your systems.

The webinar will be recorded and posted for later viewing as well. I'll note that they also have a nice companion webinar to the one I'll be giving tomorrow in one that HP representatives recently have on network security as it relates to VoIP.

Anyway, if you are available tomorrow (Oct 28th) at 1pm please do feel free to join into the webinar. I'll post a note on this site, too, when it is available for later listening.

P.S. And yes, as a couple of people have asked, I do obviously have a closer association with this webinar than I do with some of the other vendors given that I worked at Mitel for 6 years and was their point person on VoIP security issues for much of that time. It will be fun to be speaking with them again.

Technorati Tags: , , , , , , , , ,


Blue Box Podcasts #83 and #84 now online - VoIP, SIP, Skype security...

blueboxlogo.jpgOver on Blue Box, I've now uploaded two recent episodes:

With that I am almost caught up with our main shows... and I still have a bunch of Special Editions to finish producing and post. I'm hoping to finish post-production on #85 tonight so that I can post it tomorrow. We'll see...

Technorati Tags: , , , , , , , , , ,


Slides from my ITEXPO security talk - SIP Trunking and Security in an Enterprise Network

Earlier this month out at ITEXPO in Los Angeles, I participated in the Ingate SIP Trunking seminars as I have been doing for the last year or so. My talk was "SIP Trunking and Security in an Enterprise Network". The slides are available for viewing or download from my SlideShare account and I'll also embed them here in this post.

I did record the presentation in both audio and video and hope to be making that available as a Blue Box podcast some time soon. I'll then sync the slides to the audio. Meanwhile... enjoy the slides!

Technorati Tags: , , , , , , , , ,


Heading out to Los Angeles this week for Communications Developer Conf / ITEXPO...

commdeveloperconference2008.jpgAs I note over in my Voxeo blog post, I'll be out at the Communications Developer Conference (co-located with ITEXPO) this week in Los Angeles. I will be speaking twice. First on Wednesday morning I'll be talking about SIP Trunking and security as part of the Ingate SIP Trunking workshops from 10:15-11:15am. Next, on Thursday, I'll be speaking about "Developing Voice Applications in the Cloud", a favorite topic of mine these days.

Voxeo will also have a booth and I expect to be there. I'm also doing some video interviews and other media work (actually on both sides of the camera). I'm looking forward to catching up with a good number of folks out at the show.

If you read this blog and are out there at either the Communications Developer Conference or ITEXPO, please do come by and say hello. I posted the schedule of talks over on Voxeo's blog site. You should be able to find out more about where precisely I am through either twitter.com/danyork or twitter.com/voxeo.

Technorati Tags: , , , , , , , , , , ,