Disruptive Telephony

I'm in Boston this week at Fall VON. I'll be speaking on Thursday at 12:45 on (predictably) " Strategies for Solving Security". If any readers are at VON, feel free to drop a note. I'm always interested in connecting with readers.

Technorati Tags: conferences, fallvon, voip security, voipsa, von

Well, I just confirmed my travel schedule - I'm going to go have a bit of fun out at AstriCon 2007. AstriCon, for those who aren't aware, is pretty much the premiere event for Asterisk developers. I'm scheduled to speak on Thursday about (surprise!) VoIP security. My talk is an "industry perspective" in my capacity as a board member of the VOIP Security Alliance and won't be specifically Asterisk-focused, although I will include a few pieces about what you need to think about with Asterisk and the holes that Asterisk still needs to fill (like, oh, SRTP, which I know is coming). I know Mark Spencer and a good bit of the Digium crowd, so it will be fun to hang out with them (especially given my new independent status).

If any of you reading will be out there, please do feel free to drop me a line so that we can connect.

P.S. After AstriCon, I'll be heading over to the Podcast and New Media Expo in Ontario, CA. If any of you will be there, please do drop a note as well.

Technorati Tags: asterisk, astricon, voip

Over on Blue Box, I uploaded on Friday what I consider one of the best overviews about SIP security that we've done: Blue Box Special Edition #20.  I recorded the interview out at VoiceCon San Francisco in August and it's with Cullen Jennings who is a Distinguished Engineer at Cisco Systems, but more relevant to SIP is one of the Area Directors for the Real-time Applications and Infrastructure (RAI) area within the IETF.  Basically all of the proposals for RFCs relating to SIP roll up under the RAI area.  Cullen's also quite interested in and knowledgeable about security and in fact several of the security-related RFCs related to SIP include Cullen as one of the authors (as do a number of the current proposed Internet-Drafts). 

So he knows his stuff... and being a frequent presenter, he's also good at distilling complex things down into more simple descriptions, so it was an enjoyable interview that I think you will also find quite educational.  If you're working with SIP, or considering it, I'd highly recommend you listen to the show.

FYI, for those of you attending the Internet Telephony Conference & Expo in Los Angeles on September 10-12, I'll be participating in a panel session that is part of Ingate's SIP Trunking Seminar Series.  I expect it will surprise no one to learn that I'll be on the panel about "Enterprise Security and VoIP" wearing my VOIP Security Alliance hat.  My particular session is Tuesday, September 11, 2007, from 9:30-11:00 am.  (And yes, I guess it is appropriate in a way to be talking about security on 9/11!)   More details and the schedule are available online.

The sessions are free and open to anyone to attend.  Simply fill out the pre-registration form.

I posted Blue Box Podcast #56 tonight and with it Jonathan and I are beginning a series of mini-tutorials on subjects related to VoIP security.  In this show, we talked about voice encryption. In the next show (already recorded) we will talk about signaling encryption.  The idea is to cover some basic ground so that people not familiar with the area can have a basic understanding.

Just glad to get that one up - tomorrow I'm going to work on #57 to see if I can get it online for Wednesday.  We're trying hard to get back on a weekly schedule.  (#56 was intended to go up last week.)

Over on the Voice of VOIPSA weblog, security researcher Shawn Merdinger is 2/3 of the way through a series of posts on the "top 11 VoIP security issues you need to discuss with potential vendors".  His posts are:

• Pucker Up - Intimate VoIP Phone Security Questions, Part 1 of 3 (1-5)
• Pucker Up - Intimate VoIP Phone Security Questions, Part 2 of 3 (6-8)

with the third post coming at some point soon to cover points 9-11.  Shawn's posts are definitely "required reading" for anyone working on or concerned about issues around VoIP security.  He's done a great job bringing into one place the many questions that you should be asking VoIP/IP telephony/IP communications vendors about the security of the systems you are considering (or have already deployed).

ComputerWorld in Australia came out with an article today headlined "Enterprises must avoid IP telephony for teleworkers or face attack".  Given that I use a secure teleworker phone on a daily basis, I was immediately struck by the headline and felt compelled to write a response over on Voice of VOIPSA: "Why Computerworld.au is dead wrong about... ".  I think you can gather my opinion from the title.  It will be interesting to see if there is any response from ComputerWorld (I've emailed them the link).

The sad thing is that outside of the headline, the rest of the article was more or less okay. Just a bad headline...

So "the talk" finished around 11:15am this morning... I've just been straight out and unable to blog until now.  The "Black Bag Security Review" was fun to do and I've been receiving a great amount of positive feedback and kind words from folks here.  As you'll see below, I'm going to include the slides here in Flash (I finally get a reason to experiment with SlideShare!).  I'll put a PDF up here as well once I get back to Vermont.  It seems that after my laptop was reformatted, I never re-installed Acrobat to do PDF exports.

However, the slides aren't really that much use without the audio, but I'll be putting the audio up on Blue Box sometime in the next week or so and will post an update here with a link. 

Had a couple of interesting questions and points of feedback about the talk (and things I noticed):

• Yes, there were actually 243 slides and yet it came in a hair under 15 minutes.  This is a very different way of presenting than a "traditional" deadly PowerPoint presentation.  More slides... minimal text... fast transitions.  The point is to accent your story and leave the focus on you and what you are saying.  Keep people focused on you and the story you are telling... not getting them lost in reading a slide full of text.  One or two words maximum on a slide.
  
• Someone commented that the preso was like something from Lawrence Lessig. Indeed, he was definitely someone whose style I have always deeply appreciated and yes, my style was similar to some of his presos.  I've been integrating "story" elements into presentations for a good number of years whenever I can and every once in a while I get to do a preso like this one today that is entirely in a minimalist style focused on a story.  Similarly I've always appreciated Cliff Atkinson's work with "Beyond Bullets" encouraging people to focus on a story versus bullets.  Lawrence Lessig is definitely a master of the style and I admire what he does.  When I first saw him at one of the Open Source conferences, it really showed to me the power of the delivery form - and I knew I was in the presence of a masterful presenter. If you want to see him in action, check out his "<free culture>" presentation available from EFF.  (It is also well worth a listen for the subject matter as well.)  So yes, there was a definite similarity... I like learning from the masters, and he's definitely one in this style of presentation.  Personally, I wish more people would present this way.
  
• On technical issues, someone pointed out to me that SysAdmin Steve's VoIP system would have been secure "out of the box" with any of today's enterprise IP-PBXs.  He stated that any of the recent enterprise systems from my own employer, Mitel, or from Cisco, Avaya, Nortel or others would provide most all of the security Steve needed.
  
  He's right to a degree... with any of those enterprise IP-PBXs the system could have been secured right away.  But the question is whether or not they are secured by default.  In my story, the IT staff who implemented the VoIP system (and subsequently quit) installed it without any security.  Perhaps they installed it and didn't enable required security options.  Perhaps they turned the security features off.  Perhaps the IP-PBX didn't have it in the first place.  I didn't get into naming vendors... I was really painting a worst case. Now I know that in Mitel's case, encryption of both voice and call control is enabled by default and you actually have to work at it to turn it off - and while encryption doesn't solve all the problems, it solves many and makes others harder.  I don't actually know about the default posture of recent Cisco, Avaya and Nortel switches, but if things like encryption are not on by default, there are definitely options to turn them on.  All of the major venders in the enterprise IP-PBX space have the capability - TODAY - to provide secure VoIP.  We have to, because enterprises demand it.
  
  That was really part of the point that I was trying to make - you can implement secure VoIP in the enterprise today (at least up to the SIP trunk space).  You'll note that SysAdmin Steve did enable all those features in whatever IP-PBX he had.  So in the end, he did  have secure VoIP.
  
  It was good feedback, though, and should I do another talk like this, I might consider adding a slide that explicitly mentions that enterprise IP-PBXs today can address these issues.
  
• Another person asked about why I focused only on SIP.  Well, the answer is pretty much...  15 minutes.  That's the amount of time I had to do this talk.  In the 90 minute session that Jonathan, Shawn and I did back on Tuesday, we discussed how while these tools focus on SIP, there are others for the other protocols, and some like the RTP attacks are rather independent of the signalling protocol.
  
• One thing I noticed... in an effort to get done in my allotted time, I did not have an introductory slide about me.  I thought about it, and actually had one in one rev of the deck, but then killed it to just jump right into the story.  While this worked great for the flow of the story and also for keeping on time, it had the unintended effect of causing at least one writer to assign me an affiliation.  VoIP News was doing live blogging of the show and wrote this: "Dan York of CIISP is talking about the security challenges in VoIP..."  Welllll... not quite.  CISSP is really the premier security certification... but hey, I give VoIP News a lot of credit for doing "live blogging"... tough to do. And my mistake... another time I'll put in an affiliation slide at the beginning.
  
• Speaking of affiliations, I was a bit disappointed that at the very end, the AV guys killed off my almost-final slide and put the ETel transition slides up there before people could really see my slide title and the URLs (shown on right).  I thought it was just a great little nod to the Canadian heritage of my employer!  (And I was hoping people could see the URLs for more than 2 seconds...) Ah, well!
  
• And yes, this is "Part 1" of "The Story of SysAdmin Steve"... "Part 2" will have to wait for another conference!  ;-)

With that, I'll end the commentary and just try out the embedding of the SlideShare object.  Like I said, it doesn't really do a whole lot without the audio... but I'll put it up here for folks who want to check it out:

Comments, feedback and opinions are definitely all welcome.

Today starts the first day of ETel, a.k.a. O'Reilly's Emerging Telephony conference. ETel is not one of the giant conferences... unlike one of the VONs, Internet Telephony or VoiceCon there will probably only be 500-1000 people here.  But that is part of the charm, really (and this is only the second year)... it's a place for the VoIP alpha-geeks to network, promote their visions, combine their visions, socialize and otherwise just learn a heck of a lot from each other.   The schedule is packed with great info... the speaker roster is a veritable "Who's Who" of people playing in the "Voice 2.0" or "Telephony 2.0" (or <pick your cliche term>) space.  All in all, it's one conference I've been very much looking forward to.  Just in town last night, I've already run into Alec Saunders, Brad Templeton, Bruce Stewart, Surj Patel... had dinner with Blue Box podcast co-host Jonathan Zar and security researcher Shawn Merdinger...   I know Ken Camp is around, Andy Abramson, Om Malik and so many others... it should be a great and fun conference.

For my part, I am doing two sessions.  First, today at 1:30pm Pacific, Jonathan, Shawn and I will be doing a 90-minute workshop on VoIP security, primarily from an industry-wide VOIPSA point-of-view.  We'll go over the main issues around VoIPsecurity, talk about the threats, tools, best practices and more.  We're hoping to do it more as a fun conversation rather than a dry panel... you'll hopefully get to hear the results later yourself as I'll be recording the session for distribution as a Blue Box podcast.  O'Reilly has graciously given that permission again which is wonderful. (And I, of course, brought all my field recording gear.)

One of the things the three of us will also be doing is talking about a list of VoIP security tools that VOIPSA has been developing... stay tuned for more on that.

Then on Thursday I have my "general session"... my "15 minutes of fame" (or infamy) from 11-11:15am in front of the entired assembled crowd... where I will attempt to digest into that brief time the salient points about VoIP security.

I am actually VERY much looking forward to this session because I've done my presentation in a completely different style from any other presentation that I've given publicly.  I'm going to tell a story... and do so in a way that should be both fun and entertaining... and will also get the points across.    I'll say little else... except perhaps to dangle the tease that it comes in at over 200 slides yet clocks in at only about 11 minutes right now. (have to leave time for questions, eh?)    Like I said, completely different style from other presos I've given... but I'm very much looking forward to it.

Will I succeed?  Or will I fall flat on my face before several hundred of my peers?  Stay tuned...  ;-)

Fans of Blue Box have to be aware that I'm a wee bit behind in posting episodes... so I was delighted to finally get Blue Box #50 uploaded yesterday.  I still need to finish putting the show notes up there, but at least the show is out so that people can listen to it.  Given that we recorded it January 17th, it has already aged a bit.  Tonight or tomorrow I'm hoping to get #51 up... and then #52 has already been recorded as well... I'd like to get caught up before going out to ETel where I'm undoubtedly going to get more recordings for special editions.