Disruptive Telephony

Right before the holidays I had sent in to Alan Shimel a contribution for a special episode 26 of his "Still Secure After All These Years" podcast.  In this episode, he asked a number of us in security field to give their thoughts on major issues of 2006 and predictions for 2007.  Mine were predictably about VoIP....  but many others ran across the whole field of information security.

Kudos to Alan for pulling it all together and producing the episode.  Makes for interesting listening.

 

Earlier this week I uploaded Blue Box Podcast #48, where Jonathan and I go beyond just talking about the news to also review the "top VoIP security news stories of 2006" and also get into our predictions for 2007. My prediction #1 will be fairly obvious for anyone who has listened to the show for a while. We also cover the typical range of VoIP security stories, talk about OpenID for caller authentication and many more things.

This was a bit frustrating of a show to post-produce. Post-production is always a somewhat lengthy process, anyway, because I want the enhanced audio that you get from a wideband codec, which means that we use Skype. However, Skype creates its own challenges with voice that will simply fade away or get garbled. It's fairly routine that we have to disconnect and reconnect a time or two within the space of the hour in which we are recording the show. (That's actually apparent in this show where Jonathan's voice is at a lower level and then suddenly is much louder. After the reconnect, he wound up with more volume.) If I could get the audio quality in a softphone without the fade outs, I'd probably drop my post-production time by a good bit.

However, this week I couldn't blame Skype. I record the show in Audacity and it appears that because I had been previously editing a file located over on a USB hard drive, Audacity started writing its files for the new episode over on that hard drive. As anyone using Audacity will know, it writes a huge number of files to disk. Basically many, many little files with small pieces of audio in them. What seems to have happened is that periodically parts of the audio didn't get written. Or the files got destroyed. Or who knows what. Perhaps I had too many other apps running on the older computer I'm using for recording and Audacity couldn't keep up with what was being sent to it. Perhaps there was too much latency going to the USB hard drive. I don't know, but the end result was that there were gaps in the audio that got worse as the show went on. Just missing pieces of audio.

Unfortunately, I discovered it after the holidays were already underway and I couldn't really reconnect with Jonathan to rerecord. And also unfortunately, I wasn't running a backup record as I have in the past.

Given that my goal is high-quality audio production, this was a rather disappointing turn of events, but in the end I did put it out there with a big caveat in the show notes.

We just recorded show #49 today and I made sure to have nothing else running on the PC, to be writing to the main hard drive and to have a backup recorder. Hopefully I'll not experience the issue again.

Technorati Tags: security, skype, skype security, openid, voip, voip security, voipsa, voipsecurity

As I noted in my Voice of VOIPSA post today, Mark Collier (of hackingvoip.com fame) took some time in December to give www.voipsecurityblog.com a graphical makeover. He's got a cute new header image and an updated picture of himself. Although, Mark, I really have to say... you are violating the security "code of dress"! Don't you know that all good security people are supposed to wear black? Preferably a black turtleneck? Come on, now, you're going against the motif!

Ah, well... in any event, if you haven't checked out Mark's blog, it's a good one... even if he is wearing white. :-)

Technorati Tags: security, mark collier, voip, voip security, voipsa, voipsecurity

Blue Box Podcast #47 is now available for download. In this show, Jonathan and I talk about some of the recent articles and reports hyping VoIP security, recent comments from SANS about the need for better VoIP security training, moves by the Indian government to block Skype and other VoIP services and much, much more. Tons of listener comments in this show... probably the most we've ever had. See the show notes for all the links and info.

Technorati Tags: skype, voipsecurity, voip, voip security, voipsa

(Originally posted at http://dyork.livejournal.com/257414.html)

 

Technorati Tags: blue box, bluebox, security, ken camp, voip, voip security, voipsa, voipsecurity

(Originally posted to http://dyork.livejournal.com/254735.html)

Just confirmed late last week that I'll definitely be speaking at O'Reilly's Emerging Telephony Conference (aka "ETel") this coming February 27 - March 1, 2007 in San Francisco. The topic I will be speaking on will, of course, be VoIP security. Two sessions, actually... one a 15-minute plenary session providing an overall view of VoIP security and then the second a 90-minute workshop going into much more detail, providing info about security tools, best practices and much more. Both, of course, will be later put out as part of Blue Box. Should be a lot of fun, and given that it's in the SF area, I'll probably be able to pull Jonathan Zar in as well, which would be cool. Now I just need to put up a picture, bio and session abstracts...

As I've said to a number of folks, ETel 2006 was one of the very best out of all the conferences that I attended all year. No real trade show... just conference sessions full of the "alpha geeks" that O'Reilly conferences tend to attract. People really on the bleeding edge of trying out new and different things with telephony. They had a "fair" at one point that showcased startups that were doing really wacky things... it was all great stuff. Definitely a place to meet the people pushing the true leading edge of IP telephony. Here's a brief part of the promotional material:

ETel captures and telegraphs the excitement around ahead-of-the-curve telephony technologies, bringing together all layers of the telephony community to compare and contrast web telephony technology, business, and culture in a collaborative, spirited environment. ETel highlights the people, projects, and activities pushing the boundaries of what's possible with IP telephony. ETel provides a map of the evolving telephony horizon and gives you the charts you need to navigate the new communication opportunities ahead.

If you are interested in the bleeding edge of telephony, definitely check out the conference.

 

Technorati Tags: etel, oreilly, security, voip, voip security, voipsa, voipsecurity

(Originally posted to http://dyork.livejournal.com/251845.html)

I do not know precisely why, but the Australian VoIP media seems to pick up a lot of good news items about VoIP security, if you take a look at any Blue Box episode, you'll often see that many of the news items we talk about come from Down Under. I don't know why, but they seem to have security as a partial focus. It's great to see and they are a very good source of news. One site there, VoIP News, is also the only one I've really seen to write a post about the VOIPSA Best Practices Project. We weren't really expecting people to write about it on news sites... the launch is really more low-key and we didn't do any active PR beyond blog posting and sending to email lists. Now, when we have the finished product that will be a different story.

Of course, to finish one must first start.. hopefully later today... just in time for me to start travelling for a week!

In the meantime, it's great to see this VoIP News site writing about us... I've seen several subscriptions already today from Australia.

Technorati Tags: security, voip, voip security, voipsa, voipsecurity

(Originally posted at http://dyork.livejournal.com/250011.html)

Publicity helps, of course. Start talking about something and the people start signing up. Overnight the VOIPSA "best practices" mailing list has grown from 26 to 65 subscribers, with more subscription notices coming in each time I look at my email. This certainly reflects the way I distributed the word... I'm sure many people, myself included, route the VOIPSEC mailing list into a folder where they read it when they can. Or at least they read other messages before that of a "mailing list". So I expect I'll continue to see subscriptions coming in over the next couple of days.

As the mailing list administrator, I naturally receive the subscription notifications and I have to say that there are some pretty impressive people and companies among those who have subscribed. I think we now have one or more representatives of basically all of the major IP-PBX vendors, a good number of security vendors, univerisites, US government agencies, a few financial institutions (good to have, given the natural security paranoia of banks)... plus a whole host of people that are using various Gmail, Yahoomail, etc. addresses that give nothing away about their identity. (I would expect nothing less from a group of security professionals! :-) Good number of folks participating from companies around the world. Knowing the caliber of some of the people who have signed up thus far, I'll admit that it could be a bit intimidating.... luckily, for better or worse, I've never been accused of a lack of self-confidence. :-)

A lack of time is a different issue, though, but it looks like things are okay to the point where I can spend the afternoon putting the last pieces together in the wiki to be able to start a discussion tomorrow. We'll see...

Technorati Tags: security, best practices, voip, voip security, voipsa, voipsecurity

(Originally posted to http://dyork.livejournal.com/249531.html)

Technorati Tags: security, voip, voip security, voipsa, voipsecurity

Over on "Voice of VOIPSA", Dustin Trammel wrote a long post called "Click-to-Harrass" that discusses "click-to-call" services and specifically the new Google Maps click to call capability. I wrote a comment that inadvertantly wound up being almost as long as Dustin's article. Given that it had been a topic I was thinking about writing about here anyway, I decided to cross-post my comment here as well.

---

Dustin,

Nice piece. TechCrunch also had a post yesterday speculating that Google had pulled Click-To-Call because of harrassment issues, although it seems to have just been a temporary service outage as the service is back running today (used it myself this morning).

The interesting thing, though, is that you can see the immense value to the consumer for this type of service. Over the past few days I've been testing it myself with calling various local businesses here in Vermont. I have to say it has worked great. Find them in Google Maps, click the "call" button, wait for the ring of my phone, press the "Talk" button on my wireless handset and... ta da... I'm connecting to the business. It is a little strange for other people in the house (i.e. my wife) to hear the phone ring once before I pick up, but outside of that, it works fine. From a consumer point of view, it's a wonderfully easy way to find businesses and connect. Why should I remember my dentist's number when I can just find them in Google Maps and click "call"? Simple. Easy. Convenient.

Interestingly, the Caller ID that I see is that of the business I am calling, so I'm not entirely sure how that is all working. You are right, though, that this does raise serious issues around the accuracy of call records. I'll have to look at my next phone statement and see how (or if) these calls are recorded.

From a security point-of-view, too, it's not entirely clear to me personally where all these calls are going. Presumably Google is using some VoIP Service Provider (some posts have indicated it is VoIP, Inc., in Florida) who is initiating the calls to myself and the other business. How long is my call actually in "VoIP" versus the traditional PSTN? What IP networks does it traverse? What is the window of exposure for interruption or interception? All good questions without ready answers (at least that I can see).

What is interesting to consider, also, is how fundamentally disruptive this and other similar services are to the traditional carrier market. Why should I pay Verizon (my carrier here in VT) anything beyond the very, very basic service if I can use these services for my connections? Given that the model today here in the US is that incoming calls are free, what is my incentive to go beyond the very basic plan? Suddenly instead of paying $50 or $70/month for an unlimited NA calling plan, I'm paying $15/month for rudimentary service. Just use a click-to-call service... especially a free one from Google, and you're set. Now, granted, I need to use some other service for calling residences, since Google is only businesses, but still, the point is that these services have to be giving carrier execs severe cases of agita.

It will also be curious to see the effect this Google effort has on JaJah and friends, where Google is making it free. Given that JaJah's business model seems to be around charging people for calls longer than 5 minutes, a move like this has got to be a threat to that model. On the other hand, they may be wagering on the "stickiness" of customers... once they have started using Jajah, they'll stick with it. However, customers are fickle and we've seen time and time again that free beats everything else (witness Skype's growth).

What I am not entirely clear on is the business model for Google. Obviously this service can drive people to use Google Maps, but okay... so what? As of this moment, there is no blatant advertising on any of the queries I've done. Now this may just be that no one has sponsored any links relevant to my very local queries. I note that when I did a query on "map store, boston, ma", I got sponsored links above and below my search results. So maybe that is it... which seems kind of weak to me personally. If I'm looking up a business, for me odds are pretty certain that I'm going to call that business. But maybe that's just me. Maybe enough other people are clicking on the sponsored links that giving away calling minutes is an effective loss leader to bring people to the site. I'm sure Google being the behemoth that they are they can get very aggressive pricing, so all the collective minutes may just be noise in their balance sheet.

Anyway, it's fascinating to watch all of these services evolve, and yes, as you indicate, there are serious security issues that do need to be addressed. We shall see how this all shakes out.

Thanks for writing this post,
Dan

Technorati Tags: click-to-call, google, google maps, jajah, security, voip security, voipsa, voipsecurity