Voice of VOIPSA

Back in July, I participated in a Telecom Junkies podcast discussing the then-current Pena/Moore VoIP fraud case. At the time, the Voice Report team had a website that only showed the current episode, i.e. if you missed the appearance of the episode on the home page, there was no easy way to go back and listen to older episodes.That is changed now. They do have permalinks for episodes and you can get an archive of older episodes. And so… ta da… you can now listen to the episode that we did back in July about the VoIP fraud case. Check it out if you are interested in that case. (Which we have subsequently discussed in a Blue Box episode where we recounted that Edwin Pena is now a fugitive on the run!)

Blue Box Podcast #42 is now available and covers a range of topics, including the security (or lack thereof) of VoIP service providers, news from the Internet Telephony conference, Skype security and the usual other VoIP security news, listener comments, etc.

Over at Blue Box, I have just uploaded a podcast of the “Intro to VoIP Security” panel at the Internet Telephony conference last week in San Diego, CA. Moderated by Ken Camp, the panel provided a good introduction to the basic issues related to VoIP security.

This is the first of several panel sessions related to VoIP security that we will be making available through the podcast feed. We thank Rich Tehrani and the rest of the TMCNet staff for allowing us to record the sessions. Thanks also to Ken Camp for his assistance and to all the panelists who gave their permission to be recorded as well.

I was the guest on the recent Security Roundtable podcast #5 focused on VoIP security.  I gave an overview of VoIP security issues, discussed some best practices and answered numerous questions from the group of hosts.  It was a wide-ranging discussion that covered enterprise VoIP issues, Skype, recent legislation, enterprise network issues and much more.  It was a fun podcast to be part of and I do appreciate the SRT team inviting my participation.  If you are new to VoIP security issues in general, do give it a listen.

Blue Box Podcast #39 and Podcast #40 were both made available for download last week. Both cover the usual recent VoIP security news, listener comments, etc., but Blue Box #39 discusses my recent trip to Fall VON 2006 and also gets into a discussion around 802.11i and why wireless VoIP doesn’t work now with a full PKI. Blue Box #40 also covers the continued VoIP fraud case that we started covering back in June or so. Skype security, of course, also gets more coverage in #40 as well. Please do give a listen - and comments and feedback are definitely welcome.

We have been a wee bit busy over at Blue Box in recent weeks, but the results are now appearing. I’ve uploaded three shows in recent days:

• Blue Box Podcast #38 is perhaps the only place you can hear about fugitive CEOs, Phil Zimmermann, Paris Hilton, Skype security, Asterisk, SIP and the IETF all in one place!
• Blue Box Special Edition #10 provides a great interview with Gary Miliefsky of Netclarity where we explore his views on the future of VoIP security, NIST and CVEs related to VoIP, his company’s tools and much more
• Blue Box Special Edition #11 dives into IMS security through an interview with Morgan Stern from Lucent who had just been on a panel at Fall VON 2006 on securing IMS. We cover his views on the challenges ahead for IMS, the various standards bodies involved, how to address lawful intercept and much more. Morgan also provided a copy of his presentation and links to a webinar on IMS that he recently gave.

All that and more is available… please do give a listen and let us know what you think.

Martin Geddes recently reflected on the use of Skype as a tool for recording podcasts with two people in different locations.  This is a technique that is used on many podcasts now, including Blue Box, the VoIP Security Podcast.  But as Geddes says, sometimes the quality is not all it should be, and it would be useful to be able to record in top quality, and in some way transmit this out-of-band, while using the inferior, real-time audio between the two podcasters.  Sometimes this technique (called double-ending, or a “double ender”) is done manually today in podcasting and in radio: each person records their end of the conversation locally, then the files get spliced together at the end to make a broadcast quality programme.  The telephone call only needs to be good enough for the two people to understand each other while the interview is taking place.

But adding double-ending functionality in Skype has interesting possibilities, apart from the podcasting one.  In some areas human speech needs to be understood by less tolerant parties than humans, for example in the areas of automatic speech recognition, or speaker verification.  Given that VoIP streams can be of cellphone quality (or lower), it could be useful for a computer system to be able to play back a passage of speech it was having trouble with.  For example, a speaker verification system might listen to the live VoIP speech, perhaps match with a certainty of 20%, then after a few tens or hundreds of milliseconds it could try again using extra hi-fidelity information that came in while it was processing the first time.  Much better than forcing the user to re-speak their passphrase over and over until the computer figures it out.

On the subject of Dan York (of Blue Box) and Martin Geddes, you can almost see them in this photograph from Fall VON.  York is moving at speed, presumably in order to eclipse Geddes.

Blue Box Podcast #36 is now available for download. In this super-sized show, we discuss the voice security talks given at Black Hat 2006 last week in Las Vegas. There is an interview with David Endler and Mark Collier about the VoIP security tools they released, an interview with Ofir Arkin about his talk on NAC and involvment with VOIPSA, and many other news items coming out of the conference.

On the Infoworld Zero Day Security page, Garza talks a little about the VoIP Phreaking session at the Black Hat conference, which is on right now in Las Vegas.  I’m looking forward to the promised podcast with The Grugg, who led that class.

On the Black Hat website is an archive of presentations from previous conferences, and the ones from the current conference should pop-up there in the coming weeks. 

Blue Box Podcast #34 is now available for download. In this show, Jonathan and I cover VoIP security news and then have a 27-minute interview with Yurie Rich and John Spence of Command Information about IPv6: What is new with security in IPv6? Is it really more secure? Who is using IPv6? etc. A good opportunity to learn what you do - or don’t - need to know about IPv6 and security.