Disruptive Telephony

ComputerWorld in Australia came out with an article today headlined "Enterprises must avoid IP telephony for teleworkers or face attack".  Given that I use a secure teleworker phone on a daily basis, I was immediately struck by the headline and felt compelled to write a response over on Voice of VOIPSA: "Why Computerworld.au is dead wrong about... ".  I think you can gather my opinion from the title.  It will be interesting to see if there is any response from ComputerWorld (I've emailed them the link).

The sad thing is that outside of the headline, the rest of the article was more or less okay. Just a bad headline...

So "the talk" finished around 11:15am this morning... I've just been straight out and unable to blog until now.  The "Black Bag Security Review" was fun to do and I've been receiving a great amount of positive feedback and kind words from folks here.  As you'll see below, I'm going to include the slides here in Flash (I finally get a reason to experiment with SlideShare!).  I'll put a PDF up here as well once I get back to Vermont.  It seems that after my laptop was reformatted, I never re-installed Acrobat to do PDF exports.

However, the slides aren't really that much use without the audio, but I'll be putting the audio up on Blue Box sometime in the next week or so and will post an update here with a link. 

Had a couple of interesting questions and points of feedback about the talk (and things I noticed):

• Yes, there were actually 243 slides and yet it came in a hair under 15 minutes.  This is a very different way of presenting than a "traditional" deadly PowerPoint presentation.  More slides... minimal text... fast transitions.  The point is to accent your story and leave the focus on you and what you are saying.  Keep people focused on you and the story you are telling... not getting them lost in reading a slide full of text.  One or two words maximum on a slide.
  
• Someone commented that the preso was like something from Lawrence Lessig. Indeed, he was definitely someone whose style I have always deeply appreciated and yes, my style was similar to some of his presos.  I've been integrating "story" elements into presentations for a good number of years whenever I can and every once in a while I get to do a preso like this one today that is entirely in a minimalist style focused on a story.  Similarly I've always appreciated Cliff Atkinson's work with "Beyond Bullets" encouraging people to focus on a story versus bullets.  Lawrence Lessig is definitely a master of the style and I admire what he does.  When I first saw him at one of the Open Source conferences, it really showed to me the power of the delivery form - and I knew I was in the presence of a masterful presenter. If you want to see him in action, check out his "<free culture>" presentation available from EFF.  (It is also well worth a listen for the subject matter as well.)  So yes, there was a definite similarity... I like learning from the masters, and he's definitely one in this style of presentation.  Personally, I wish more people would present this way.
  
• On technical issues, someone pointed out to me that SysAdmin Steve's VoIP system would have been secure "out of the box" with any of today's enterprise IP-PBXs.  He stated that any of the recent enterprise systems from my own employer, Mitel, or from Cisco, Avaya, Nortel or others would provide most all of the security Steve needed.
  
  He's right to a degree... with any of those enterprise IP-PBXs the system could have been secured right away.  But the question is whether or not they are secured by default.  In my story, the IT staff who implemented the VoIP system (and subsequently quit) installed it without any security.  Perhaps they installed it and didn't enable required security options.  Perhaps they turned the security features off.  Perhaps the IP-PBX didn't have it in the first place.  I didn't get into naming vendors... I was really painting a worst case. Now I know that in Mitel's case, encryption of both voice and call control is enabled by default and you actually have to work at it to turn it off - and while encryption doesn't solve all the problems, it solves many and makes others harder.  I don't actually know about the default posture of recent Cisco, Avaya and Nortel switches, but if things like encryption are not on by default, there are definitely options to turn them on.  All of the major venders in the enterprise IP-PBX space have the capability - TODAY - to provide secure VoIP.  We have to, because enterprises demand it.
  
  That was really part of the point that I was trying to make - you can implement secure VoIP in the enterprise today (at least up to the SIP trunk space).  You'll note that SysAdmin Steve did enable all those features in whatever IP-PBX he had.  So in the end, he did  have secure VoIP.
  
  It was good feedback, though, and should I do another talk like this, I might consider adding a slide that explicitly mentions that enterprise IP-PBXs today can address these issues.
  
• Another person asked about why I focused only on SIP.  Well, the answer is pretty much...  15 minutes.  That's the amount of time I had to do this talk.  In the 90 minute session that Jonathan, Shawn and I did back on Tuesday, we discussed how while these tools focus on SIP, there are others for the other protocols, and some like the RTP attacks are rather independent of the signalling protocol.
  
• One thing I noticed... in an effort to get done in my allotted time, I did not have an introductory slide about me.  I thought about it, and actually had one in one rev of the deck, but then killed it to just jump right into the story.  While this worked great for the flow of the story and also for keeping on time, it had the unintended effect of causing at least one writer to assign me an affiliation.  VoIP News was doing live blogging of the show and wrote this: "Dan York of CIISP is talking about the security challenges in VoIP..."  Welllll... not quite.  CISSP is really the premier security certification... but hey, I give VoIP News a lot of credit for doing "live blogging"... tough to do. And my mistake... another time I'll put in an affiliation slide at the beginning.
  
• Speaking of affiliations, I was a bit disappointed that at the very end, the AV guys killed off my almost-final slide and put the ETel transition slides up there before people could really see my slide title and the URLs (shown on right).  I thought it was just a great little nod to the Canadian heritage of my employer!  (And I was hoping people could see the URLs for more than 2 seconds...) Ah, well!
  
• And yes, this is "Part 1" of "The Story of SysAdmin Steve"... "Part 2" will have to wait for another conference!  ;-)

With that, I'll end the commentary and just try out the embedding of the SlideShare object.  Like I said, it doesn't really do a whole lot without the audio... but I'll put it up here for folks who want to check it out:

Comments, feedback and opinions are definitely all welcome.

Too many conversations... that's the struggle here.   Just really great folks.  Very much enjoying the sessions so far.   Currently listening to the 5-minute lightening talks... tonight there is a "VoIP Blogger Dinner" organized by Andy Abramson... somehow I don't think I'll really be blogging about much of this until the plane trip home.  (I am finding that I am doing some "micro-blogging" about web sites over on Twitter at http://www.twitter.com/danyork/ )

Conference has been well organized.  Only issue I've really had is that the WiFi network has been of varying quality.  Sometimes it is working fantastically... sometimes it works for 20 minutes and then it dies... sometimes I just can't connect, even though I'm sitting in the exact same spot I was an hour earlier.  I realize it's really tough to do WiFi for a conference... the demands on the network are a bit unnatural... especially with a heavily laptop-enabled crowd like this one. 

I admit to really only very peripherally followed the growth of FreeSWITCH, so I was intrigued to attend the "FreeSWITCH Boot Camp" session this morning here at ETel.  It was a tough call given that Stowe Boyd was also speaking, but I wanted to understand what FreeSwitch was all about.  It was an interesting talk, although I'm left with the following observations:

• I'm still struggling to fully understand what problem the FreeSwitch community is trying to specifically solve versus what Asterisk, sipX, OpenSER, etc. are solving. 
• The answer from the FreeSwitch developers was that it is really complementary to those other projects and focus on scalability and stability.  It is NOT focused on the PBX space but really at the carrier space and looking at large-scale implementations.  Several people also mentioned using it as a Session Border Controller (SBC).
• So is it an open source SBC?
• One carrier representative involved with the project indicated that in their testing they are getting 2,000 to 3,000 simultaneous calls up with media streaming... and at least 10,000 simultaneous calls with point-to-point media.
• Perhaps that is the focus... but I would say that the FreeSwitch folks need to refine that message bit so that it's a bit easier to understand.
• Management is still pretty much all through config files.  Web GUI is still "in the works".
• Looks to have a pretty comprehensive list of protocols, codecs, application interfaces, etc.
• What was perhaps most interesting was their web-based interface to a conferencing system.  Pretty nicely done.

Overall, my impression was that it's an interesting toolkit to let folks play with telephony on potentially on a large scale.  It will be quite interesting to see what evolves out of the FreeSwitch developer community.  I'd be interested to know if anyone reading this is using FreeSwitch and what they are doing with.

Today starts the first day of ETel, a.k.a. O'Reilly's Emerging Telephony conference. ETel is not one of the giant conferences... unlike one of the VONs, Internet Telephony or VoiceCon there will probably only be 500-1000 people here.  But that is part of the charm, really (and this is only the second year)... it's a place for the VoIP alpha-geeks to network, promote their visions, combine their visions, socialize and otherwise just learn a heck of a lot from each other.   The schedule is packed with great info... the speaker roster is a veritable "Who's Who" of people playing in the "Voice 2.0" or "Telephony 2.0" (or <pick your cliche term>) space.  All in all, it's one conference I've been very much looking forward to.  Just in town last night, I've already run into Alec Saunders, Brad Templeton, Bruce Stewart, Surj Patel... had dinner with Blue Box podcast co-host Jonathan Zar and security researcher Shawn Merdinger...   I know Ken Camp is around, Andy Abramson, Om Malik and so many others... it should be a great and fun conference.

For my part, I am doing two sessions.  First, today at 1:30pm Pacific, Jonathan, Shawn and I will be doing a 90-minute workshop on VoIP security, primarily from an industry-wide VOIPSA point-of-view.  We'll go over the main issues around VoIPsecurity, talk about the threats, tools, best practices and more.  We're hoping to do it more as a fun conversation rather than a dry panel... you'll hopefully get to hear the results later yourself as I'll be recording the session for distribution as a Blue Box podcast.  O'Reilly has graciously given that permission again which is wonderful. (And I, of course, brought all my field recording gear.)

One of the things the three of us will also be doing is talking about a list of VoIP security tools that VOIPSA has been developing... stay tuned for more on that.

Then on Thursday I have my "general session"... my "15 minutes of fame" (or infamy) from 11-11:15am in front of the entired assembled crowd... where I will attempt to digest into that brief time the salient points about VoIP security.

I am actually VERY much looking forward to this session because I've done my presentation in a completely different style from any other presentation that I've given publicly.  I'm going to tell a story... and do so in a way that should be both fun and entertaining... and will also get the points across.    I'll say little else... except perhaps to dangle the tease that it comes in at over 200 slides yet clocks in at only about 11 minutes right now. (have to leave time for questions, eh?)    Like I said, completely different style from other presos I've given... but I'm very much looking forward to it.

Will I succeed?  Or will I fall flat on my face before several hundred of my peers?  Stay tuned...  ;-)

Noticed today that Tom Keating has a review up on "pbxnsip", which has the interesting twist of being a low-cost PBX solution running on Microsoft Windows.   Most other inexpensive or open-source software-only PBX solutions tend to run on Linux, and indeed, pbxnsip does have Linux versions (and apparently NetBSD although they are not listed... perhaps they just run the Linux version).  I first actually learned of pbxnsip some time ago at one of the various VoIP tradeshows when I was struck by the fact that they were advertising security as the main point in big letters on the background to their booth. In fact, security is #2 on their list of "reasons to buy":

It addresses security. The pbxnsip PBX uses https, sips, SRTP and sdes to make the communication to your PBX secure. Using sdes-capable devices, your voice calls will stay as secure as your https traffic.

Well, gee, given my background, it's not hard to imagine that any vendor that basically leads with security gets some extra points in my book.  (Especially since doing so has the potential to paint a big red target on your back to all the attackers out there who like to debunk claims about security.)  I've not played with it myself, but Tom's review does indeed make it sound interesting.

I guess I'll have to add it to the (huge) list of things to check out...

Thanks, Tom, for as usual providing your very thorough reviews - you definitely help a lot of the rest of us.

UPDATE: I knew there was another reason I knew of pbxnsip... CEO Christian Stredicke has been on the VOIPSEC mailing list for quite some time, although I recall hearing from him primarily when he was with snom technology.

Skype today released a new "3.1" beta for Windows (you can get it here) with a number of minor tweaks - and a brand new component called "SkypeFind".  As you can see in the picture to the right, there's a new tab added... and is the entrance of Skype into the game already being played by GoogleMaps, Yahoo!Local  and Microsoft's Windows Live Local...  namely... providing an easily searchable directory of businesses. 

It's not stated, but it's pretty clear the ultimate goal is to control the directory you use to initiate calls.  Think about it, Google is aiming to do this with their "click-to-call" in Google Maps.  Find an entry (in the US, anyway) and simply click "call" and your regular phone rings.  It's simple and easy.  Google controls the directory and the initiation of calls.  It's even more logical for Skype to do this.  Find a business in the directory, click the phone number and you're dialling away using Skype/SkypeOut...

Of course, Skype aims to be more than simply yet another business directory.  As the Skype blog entry states:

SkypeFind is one of the most interesting features that we’ve done in quite a while now. We call it “Local businesses you like”, and that’s what it is - a collection of businesses, with reviews and comments, built by everyone using Skype.

So it's really a mashup of a business directory, a ratings service... and a social networking service.  The other interesting aspect is that the directory is basically empty!  It started out this morning basically with only a few entries.  Tonight it's now up to "318 listings in 49 countries by 83 people".  (Of course, you'd have to find out about the beta and then have the time to experiment.  I actually learned of it because I've stayed logged into the Skype Journal public chat and conversation popped up there this morning.)  Now I find it interesting that Skype didn't work with someone else to pre-load the database, but: a) this is still in beta; and b) the major local databases are in the hands of Skype competitors who have very little reason to work with Skype.

As you can see in the image on the left (click image for larger view), when you go into the SkypeFind tab, you wind up being able to search within a country, region, etc.  There's also recommendations from people in your contact list shown on the bottom of the panel.   You can switch to a different region.

Since Burlington, VT, had no entries and I didn't feel like entering any, I switched to the UK and figured searching for "pub" in "London" ought to generate some listings.  It did, of course, and if you click on the image to the right to get the larger view, you'll see entries with reviews and ratings.  Skype is using a cute motif of a flower with petals being removed as the rating goes lower.  Note also the choices in the dropbox in the upper right corner:

• Most relevant
• Most called
• Highest rating
• A-Z

Most called?  Well, of course, if you are Skype you would have knowledge of how many times Skype users call that number.  Just an interesting twist that you wouldn't find, of course, in the other directories (although you would wonder if Google could add it with their click-to-call).

Another interesting twist is the "Ask your friends" for recommendations button seen at the bottom of the listing.  I've not played with this yet, but per the Skype blog entry, it will change your advisory/mood message to be a question and provide a link to a public chat where Skype-using friends can then join you (presumably with Skype 3.0 or later) and answer your questions (or at least chat with you).

Going into an entry shows the ratings and reviews and gives you the ability to add your own review.  But also notice the little link at the top?  It says:

Edit this listing

Yep... you can just click on it and go in and change the name, address, web site... basically any info except for the phone number and country which per the SkypeFind guide, Skype uses as a unique identifier.  Now being a security guy, I immediately wonder about this... I can put in any URL.  What's to prevent a spammer from going through all these pubs and entering the URL for some spam site? Or a competitor from changing the names around?  Or someone just making mischief?  Nothing, really.  Phil Wolff called it a "wiki" in the Skype Journal chat today and that is what it's like. You can view the editing history, so you can see who made the changes (or at least the SkypeID of who made the change)... but the changes have in fact been made.  It will be curious to see how much abuse this does or does not get.

So will SkypeFind ever have ads or premium listings?  It would seem to be the obvious thing to do (like Google's sponsored results) and Paul Kapustka writing over at Om Malik's GigaOm site has a review of SkypeFind that quotes Skype General Manager of E-Commerce Sten Tamkivi as saying that SkypeFind may include ads in the future.  The article also talks again about how recommendations from friends will help listings "bubble up"... we'll see... first there need to be listings before they can bubble up!  (I know, I know, it hasn't even been out for 24 hours....)

One curious omission, that I have to credit Phil Wolff for pointing out.  If you look at the larger view of the "Add a listing" screen to the right, you'll notice something fairly basic is missing... a place to enter a Skype ID!  It seems that for a business to be listed you must have a PSTN number.  Given that it's Skype, you might have thought there would be a way to enter the Skype ID and call the business over Skype!

Ah, well, it's still in beta... and only available on Windows, so Mac and Linux users have to wait to play.

Beyond SkypeFind, the release did have some other minor tweaks.  There is now a "Chats" menu on the menu bar that gives you easy access to your public and private chats. And the "eye candy" of this release is the cute way Skype finally provided the notification that the other user is typing.  Where AIM and MSN/WLM have text that says something like "User-so-and-so is typing...", Skype has a pencil icon that writes... and then in a cute move erases when you are deleting what you wrote.  You can see it inthis screen shot (upper right by the woman's picture) from Skype's blog.  It also shows up in chat windows (including public chats).  It's a cute way to meet and exceed what the other services have had for quite some time.

All in all an interesting evolutionary step for the Skype client... will be interesting to see how successful SkypeFind becomes as the directory becomes populated.  Given that Skype accounts are free, the security side of me just sees it as something wide open for abuse... but hopefully for Skype users I am wrong.  What do you all think?

P.S. Many thanks to the Skype Journal for continuing to run their public chat which countinues to be a source of great info about Skype...

Dean Elwood over at VoIPuser.org has taken up the question about Open ID with his post "Why SIP Doesn't Need OpenID".  Dean suggests that the problem really lies between servers:

The problem of identity authentication actually resides in the server to server realm in a peered environment. How does sip.fwd.com know for sure that a peered call request is really coming from sip.voipuser.org?

Good question... and one that Dean believes can be solved through the use of the already-standardized Open Settlement Protocol (OSP).

The conversation continues...

Scanning RSS feeds early this morning, I was pleased to see that Rich Tehrani will be speaking at our "Presence 2007" event in Costa Mesa, CA, today. I've known the tour was going on, but wasn't tracking who was speaking at the various stops.  Glad to see Rich there... I'm sure he'll give a great talk for whoever attends.  The good news for Rich, too, is that at least he was flying out of the New York area yesterday instead of the day before when the glorious storm played havoc with air travel all over the northeast.

I have to blame Aswath.  Back in December, he posted a short piece wondering about the use of OpenID in SIP authentication.  He contacted Jonathan and I in regard to Blue Box and asked for our comments. We discussed it on Blue Box #48 (at 15:50 in the show) and basically said "well, it's interesting, but there's no trust model so we can't see how it would really work".  I had some further brief email exchange with Aswath, and then somewhere in there he came out with his proposal for extending OpenID use into communication systems.  Again he dropped us a note, and again, even with posts like that of phoneboy, I still hadn't gotten over my concern about trust - and we discussed it again in the soon-to-be-issued Blue Box #51, along with a comment from a listener.

But there was something there that kept nagging at the back of my brain... and then as Microsoft announced support for OpenID out at RSA... and then as AOL is talking about their plans...  along with a hundred other smaller indicators... all of it has made me realize that I've needed to "go deeper" on what OpenID is all about and how it works... and how maybe, just maybe, there might be a role for it in VoIP.

I'm not there yet, but I'm definitely in the middle of the deep dive.  I've told Aswath that I'd get him a longer response - and I will - once the journey has gone a bit further.  In the meantime, those of you who want to follow along can watch my del.icio.us trail on openid... it keeps getting longer.

If you have no idea what OpenID is about at all... think about all the websites you go to and all the different usernames and passwords you have.  What if there was a way to have just one identity you could use everywhere?  That's one of the ideas behind OpenID.  Here's some good places to start if you know nothing about it:

• Screencast on how to use OpenID
• Video from ETech 2006 - "Who is the Dick on your site?" by Dick Hardt of Sxip Identity (nice history of identity efforts)

Lots to learn out there...