Disruptive Telephony

Over on the Voice of VOIPSA weblog, security researcher Shawn Merdinger is 2/3 of the way through a series of posts on the "top 11 VoIP security issues you need to discuss with potential vendors".  His posts are:

• Pucker Up - Intimate VoIP Phone Security Questions, Part 1 of 3 (1-5)
• Pucker Up - Intimate VoIP Phone Security Questions, Part 2 of 3 (6-8)

with the third post coming at some point soon to cover points 9-11.  Shawn's posts are definitely "required reading" for anyone working on or concerned about issues around VoIP security.  He's done a great job bringing into one place the many questions that you should be asking VoIP/IP telephony/IP communications vendors about the security of the systems you are considering (or have already deployed).

ComputerWorld in Australia came out with an article today headlined "Enterprises must avoid IP telephony for teleworkers or face attack".  Given that I use a secure teleworker phone on a daily basis, I was immediately struck by the headline and felt compelled to write a response over on Voice of VOIPSA: "Why Computerworld.au is dead wrong about... ".  I think you can gather my opinion from the title.  It will be interesting to see if there is any response from ComputerWorld (I've emailed them the link).

The sad thing is that outside of the headline, the rest of the article was more or less okay. Just a bad headline...

So "the talk" finished around 11:15am this morning... I've just been straight out and unable to blog until now.  The "Black Bag Security Review" was fun to do and I've been receiving a great amount of positive feedback and kind words from folks here.  As you'll see below, I'm going to include the slides here in Flash (I finally get a reason to experiment with SlideShare!).  I'll put a PDF up here as well once I get back to Vermont.  It seems that after my laptop was reformatted, I never re-installed Acrobat to do PDF exports.

However, the slides aren't really that much use without the audio, but I'll be putting the audio up on Blue Box sometime in the next week or so and will post an update here with a link. 

Had a couple of interesting questions and points of feedback about the talk (and things I noticed):

• Yes, there were actually 243 slides and yet it came in a hair under 15 minutes.  This is a very different way of presenting than a "traditional" deadly PowerPoint presentation.  More slides... minimal text... fast transitions.  The point is to accent your story and leave the focus on you and what you are saying.  Keep people focused on you and the story you are telling... not getting them lost in reading a slide full of text.  One or two words maximum on a slide.
  
• Someone commented that the preso was like something from Lawrence Lessig. Indeed, he was definitely someone whose style I have always deeply appreciated and yes, my style was similar to some of his presos.  I've been integrating "story" elements into presentations for a good number of years whenever I can and every once in a while I get to do a preso like this one today that is entirely in a minimalist style focused on a story.  Similarly I've always appreciated Cliff Atkinson's work with "Beyond Bullets" encouraging people to focus on a story versus bullets.  Lawrence Lessig is definitely a master of the style and I admire what he does.  When I first saw him at one of the Open Source conferences, it really showed to me the power of the delivery form - and I knew I was in the presence of a masterful presenter. If you want to see him in action, check out his "<free culture>" presentation available from EFF.  (It is also well worth a listen for the subject matter as well.)  So yes, there was a definite similarity... I like learning from the masters, and he's definitely one in this style of presentation.  Personally, I wish more people would present this way.
  
• On technical issues, someone pointed out to me that SysAdmin Steve's VoIP system would have been secure "out of the box" with any of today's enterprise IP-PBXs.  He stated that any of the recent enterprise systems from my own employer, Mitel, or from Cisco, Avaya, Nortel or others would provide most all of the security Steve needed.
  
  He's right to a degree... with any of those enterprise IP-PBXs the system could have been secured right away.  But the question is whether or not they are secured by default.  In my story, the IT staff who implemented the VoIP system (and subsequently quit) installed it without any security.  Perhaps they installed it and didn't enable required security options.  Perhaps they turned the security features off.  Perhaps the IP-PBX didn't have it in the first place.  I didn't get into naming vendors... I was really painting a worst case. Now I know that in Mitel's case, encryption of both voice and call control is enabled by default and you actually have to work at it to turn it off - and while encryption doesn't solve all the problems, it solves many and makes others harder.  I don't actually know about the default posture of recent Cisco, Avaya and Nortel switches, but if things like encryption are not on by default, there are definitely options to turn them on.  All of the major venders in the enterprise IP-PBX space have the capability - TODAY - to provide secure VoIP.  We have to, because enterprises demand it.
  
  That was really part of the point that I was trying to make - you can implement secure VoIP in the enterprise today (at least up to the SIP trunk space).  You'll note that SysAdmin Steve did enable all those features in whatever IP-PBX he had.  So in the end, he did  have secure VoIP.
  
  It was good feedback, though, and should I do another talk like this, I might consider adding a slide that explicitly mentions that enterprise IP-PBXs today can address these issues.
  
• Another person asked about why I focused only on SIP.  Well, the answer is pretty much...  15 minutes.  That's the amount of time I had to do this talk.  In the 90 minute session that Jonathan, Shawn and I did back on Tuesday, we discussed how while these tools focus on SIP, there are others for the other protocols, and some like the RTP attacks are rather independent of the signalling protocol.
  
• One thing I noticed... in an effort to get done in my allotted time, I did not have an introductory slide about me.  I thought about it, and actually had one in one rev of the deck, but then killed it to just jump right into the story.  While this worked great for the flow of the story and also for keeping on time, it had the unintended effect of causing at least one writer to assign me an affiliation.  VoIP News was doing live blogging of the show and wrote this: "Dan York of CIISP is talking about the security challenges in VoIP..."  Welllll... not quite.  CISSP is really the premier security certification... but hey, I give VoIP News a lot of credit for doing "live blogging"... tough to do. And my mistake... another time I'll put in an affiliation slide at the beginning.
  
• Speaking of affiliations, I was a bit disappointed that at the very end, the AV guys killed off my almost-final slide and put the ETel transition slides up there before people could really see my slide title and the URLs (shown on right).  I thought it was just a great little nod to the Canadian heritage of my employer!  (And I was hoping people could see the URLs for more than 2 seconds...) Ah, well!
  
• And yes, this is "Part 1" of "The Story of SysAdmin Steve"... "Part 2" will have to wait for another conference!  ;-)

With that, I'll end the commentary and just try out the embedding of the SlideShare object.  Like I said, it doesn't really do a whole lot without the audio... but I'll put it up here for folks who want to check it out:

Comments, feedback and opinions are definitely all welcome.

Today starts the first day of ETel, a.k.a. O'Reilly's Emerging Telephony conference. ETel is not one of the giant conferences... unlike one of the VONs, Internet Telephony or VoiceCon there will probably only be 500-1000 people here.  But that is part of the charm, really (and this is only the second year)... it's a place for the VoIP alpha-geeks to network, promote their visions, combine their visions, socialize and otherwise just learn a heck of a lot from each other.   The schedule is packed with great info... the speaker roster is a veritable "Who's Who" of people playing in the "Voice 2.0" or "Telephony 2.0" (or <pick your cliche term>) space.  All in all, it's one conference I've been very much looking forward to.  Just in town last night, I've already run into Alec Saunders, Brad Templeton, Bruce Stewart, Surj Patel... had dinner with Blue Box podcast co-host Jonathan Zar and security researcher Shawn Merdinger...   I know Ken Camp is around, Andy Abramson, Om Malik and so many others... it should be a great and fun conference.

For my part, I am doing two sessions.  First, today at 1:30pm Pacific, Jonathan, Shawn and I will be doing a 90-minute workshop on VoIP security, primarily from an industry-wide VOIPSA point-of-view.  We'll go over the main issues around VoIPsecurity, talk about the threats, tools, best practices and more.  We're hoping to do it more as a fun conversation rather than a dry panel... you'll hopefully get to hear the results later yourself as I'll be recording the session for distribution as a Blue Box podcast.  O'Reilly has graciously given that permission again which is wonderful. (And I, of course, brought all my field recording gear.)

One of the things the three of us will also be doing is talking about a list of VoIP security tools that VOIPSA has been developing... stay tuned for more on that.

Then on Thursday I have my "general session"... my "15 minutes of fame" (or infamy) from 11-11:15am in front of the entired assembled crowd... where I will attempt to digest into that brief time the salient points about VoIP security.

I am actually VERY much looking forward to this session because I've done my presentation in a completely different style from any other presentation that I've given publicly.  I'm going to tell a story... and do so in a way that should be both fun and entertaining... and will also get the points across.    I'll say little else... except perhaps to dangle the tease that it comes in at over 200 slides yet clocks in at only about 11 minutes right now. (have to leave time for questions, eh?)    Like I said, completely different style from other presos I've given... but I'm very much looking forward to it.

Will I succeed?  Or will I fall flat on my face before several hundred of my peers?  Stay tuned...  ;-)

Noticed today that Tom Keating has a review up on "pbxnsip", which has the interesting twist of being a low-cost PBX solution running on Microsoft Windows.   Most other inexpensive or open-source software-only PBX solutions tend to run on Linux, and indeed, pbxnsip does have Linux versions (and apparently NetBSD although they are not listed... perhaps they just run the Linux version).  I first actually learned of pbxnsip some time ago at one of the various VoIP tradeshows when I was struck by the fact that they were advertising security as the main point in big letters on the background to their booth. In fact, security is #2 on their list of "reasons to buy":

It addresses security. The pbxnsip PBX uses https, sips, SRTP and sdes to make the communication to your PBX secure. Using sdes-capable devices, your voice calls will stay as secure as your https traffic.

Well, gee, given my background, it's not hard to imagine that any vendor that basically leads with security gets some extra points in my book.  (Especially since doing so has the potential to paint a big red target on your back to all the attackers out there who like to debunk claims about security.)  I've not played with it myself, but Tom's review does indeed make it sound interesting.

I guess I'll have to add it to the (huge) list of things to check out...

Thanks, Tom, for as usual providing your very thorough reviews - you definitely help a lot of the rest of us.

UPDATE: I knew there was another reason I knew of pbxnsip... CEO Christian Stredicke has been on the VOIPSEC mailing list for quite some time, although I recall hearing from him primarily when he was with snom technology.

I have to blame Aswath.  Back in December, he posted a short piece wondering about the use of OpenID in SIP authentication.  He contacted Jonathan and I in regard to Blue Box and asked for our comments. We discussed it on Blue Box #48 (at 15:50 in the show) and basically said "well, it's interesting, but there's no trust model so we can't see how it would really work".  I had some further brief email exchange with Aswath, and then somewhere in there he came out with his proposal for extending OpenID use into communication systems.  Again he dropped us a note, and again, even with posts like that of phoneboy, I still hadn't gotten over my concern about trust - and we discussed it again in the soon-to-be-issued Blue Box #51, along with a comment from a listener.

But there was something there that kept nagging at the back of my brain... and then as Microsoft announced support for OpenID out at RSA... and then as AOL is talking about their plans...  along with a hundred other smaller indicators... all of it has made me realize that I've needed to "go deeper" on what OpenID is all about and how it works... and how maybe, just maybe, there might be a role for it in VoIP.

I'm not there yet, but I'm definitely in the middle of the deep dive.  I've told Aswath that I'd get him a longer response - and I will - once the journey has gone a bit further.  In the meantime, those of you who want to follow along can watch my del.icio.us trail on openid... it keeps getting longer.

If you have no idea what OpenID is about at all... think about all the websites you go to and all the different usernames and passwords you have.  What if there was a way to have just one identity you could use everywhere?  That's one of the ideas behind OpenID.  Here's some good places to start if you know nothing about it:

• Screencast on how to use OpenID
• Video from ETech 2006 - "Who is the Dick on your site?" by Dick Hardt of Sxip Identity (nice history of identity efforts)

Lots to learn out there...

Fans of Blue Box have to be aware that I'm a wee bit behind in posting episodes... so I was delighted to finally get Blue Box #50 uploaded yesterday.  I still need to finish putting the show notes up there, but at least the show is out so that people can listen to it.  Given that we recorded it January 17th, it has already aged a bit.  Tonight or tomorrow I'm hoping to get #51 up... and then #52 has already been recorded as well... I'd like to get caught up before going out to ETel where I'm undoubtedly going to get more recordings for special editions.

I've long enjoyed Richard Zhao's posts at "Telecom, Security and P2P" because, living in Beijing and working for Lenovo, he brings a distinctly different view into the global conversation.  For instance, earlier this year he posted about Chinese security standards, something that few of us outside the country would probably have noticed or commented on.  However, as he mentions over on his Chinese language blog (in English), access to Wordpress.com, where he previously had the blog, is apparently being blocked or degraded in China.  So he has now moved his blog to:

http://sbin.cn/blog/

As the title states, he covers primarily telecom and security.  Do check him out...

Right before the holidays I had sent in to Alan Shimel a contribution for a special episode 26 of his "Still Secure After All These Years" podcast.  In this episode, he asked a number of us in security field to give their thoughts on major issues of 2006 and predictions for 2007.  Mine were predictably about VoIP....  but many others ran across the whole field of information security.

Kudos to Alan for pulling it all together and producing the episode.  Makes for interesting listening.

Earlier this week I uploaded Blue Box Podcast #48, where Jonathan and I go beyond just talking about the news to also review the "top VoIP security news stories of 2006" and also get into our predictions for 2007. My prediction #1 will be fairly obvious for anyone who has listened to the show for a while. We also cover the typical range of VoIP security stories, talk about OpenID for caller authentication and many more things.

This was a bit frustrating of a show to post-produce. Post-production is always a somewhat lengthy process, anyway, because I want the enhanced audio that you get from a wideband codec, which means that we use Skype. However, Skype creates its own challenges with voice that will simply fade away or get garbled. It's fairly routine that we have to disconnect and reconnect a time or two within the space of the hour in which we are recording the show. (That's actually apparent in this show where Jonathan's voice is at a lower level and then suddenly is much louder. After the reconnect, he wound up with more volume.) If I could get the audio quality in a softphone without the fade outs, I'd probably drop my post-production time by a good bit.

However, this week I couldn't blame Skype. I record the show in Audacity and it appears that because I had been previously editing a file located over on a USB hard drive, Audacity started writing its files for the new episode over on that hard drive. As anyone using Audacity will know, it writes a huge number of files to disk. Basically many, many little files with small pieces of audio in them. What seems to have happened is that periodically parts of the audio didn't get written. Or the files got destroyed. Or who knows what. Perhaps I had too many other apps running on the older computer I'm using for recording and Audacity couldn't keep up with what was being sent to it. Perhaps there was too much latency going to the USB hard drive. I don't know, but the end result was that there were gaps in the audio that got worse as the show went on. Just missing pieces of audio.

Unfortunately, I discovered it after the holidays were already underway and I couldn't really reconnect with Jonathan to rerecord. And also unfortunately, I wasn't running a backup record as I have in the past.

Given that my goal is high-quality audio production, this was a rather disappointing turn of events, but in the end I did put it out there with a big caveat in the show notes.

We just recorded show #49 today and I made sure to have nothing else running on the PC, to be writing to the main hard drive and to have a backup recorder. Hopefully I'll not experience the issue again.

Technorati Tags: security, skype, skype security, openid, voip, voip security, voipsa, voipsecurity