Voice of VOIPSA

A summary of survey results has been sent to all members of the VOIPSA advisory board. Thank you to all who participated.  Your input is being incorporated now into revisions of the VOIPSA membership materials.

Many good sessions today including Christian Stredicke, CEO of VoIP phone specialist SNOM, and Bogdan Materna
(VOIPSA member and VoIPShield Systems’ CEO). Stredicke’s talk was on the subject of securing VoIP media.  To summarize to the barebones, he said that it’s done and dusted for most aspects: securing signalling means TLS; securing streams means SRTP and key exchange will likely use Sdescriptions (SDES).  Well, perhaps not so simple as that in the area of key exchange, he cited 11 proposals
still on the table, including 5 variants of MIKEY and 2 of SDES.  Also Phil Zimmerman’s ZRTP technology Stredicke cited as interesting, but “too late”.  Stredicke said that if ZRTP had arrived two years ago, it would for sure be a leading contender, but many implementations of SDES already exist.

The day closed with an excellent panel discussion chaired by Dorgham Siselem, and featuring panellists Christian Stredicke,
Micheal Haberler (Enum.at), Saverio Niccolini (NEC) and Hannes Tschofening (Siemens).  They tackled a wide range of subjects including “Is Legal Intercept Evil?” and “Will we dial numbers in 10 years time, or SIP URIs?”.  I also saw Niccolini’s presentation yesterday, where he referred to the Threat Taxonomy project at VOIPSA, so nice to see our work being used in practice.

Final thoughts: Nice social crowd, interesting sessions and well orgnanized.  Altogether a very worthwhile event, I’m looking forward to the next one.

There’s an excellent turnout, and Fraunhofer Fokus are doing a great job of hosting, with free WLAN (hence this blog entry) and everything you would expect from a well-run conference.

The keynote speech today was provided by Virgil Gligor of the University of Maryland, on the subject Adversary Models; in other words it is necessary to define the adversary before we can decide what ‘secure’ means. Prof. Gligor was the 2006 recipient of the prestigious National Security Award, and he also has the distinction of being the first person ever to write a paper about Denial of Service attacks

In a wide-ranging talk, Prof Gligor pointed out that in the history of computing there has often been a 10 or more year gap between the use of technology and the addressing of security issues that arise from it. This of course also true today of VoIP and VoIP security, and he assures us that at least this means we will all have jobs for life.

One of the key messages of his talk was that “Perfect is the Enemy of the Good”, or in other words, we can secure a system 100%, but end up with a completely unworkable system. On the other hand we can engineer systems that work, but only detect perhaps 70% of intrusions and other security problems. There is no such thing as a completely secure system.