Voice of VOIPSA

Question for folks reading this weblog: what do you think of the way I just re-ordered the sidebar of this blog? The “Recent Posts” section was up at the top before and while that was useful, I thought it might be more helpful to have the list of categories and contributors up near the top on the first screen of information people see. What do you think? Did you use the “Recent Posts” to quickly see what was here? Or did you just scan down the page? (or read this site in an RSS reader?) Any comments or opinions would be appreciated. I can re-order it in whatever fashion we wish.

Blue Box Podcast #54 was posted about a week ago but with travel I didn’t cross-post it here… in this show, Jonathan and I talked a good bit about the new VoIP security tools list released by VOIPSA, the IETF meeting in Prague, Phil Zimmerman and ZRT, SPIT, the ETel conference and also talked a good bit about some articles circulating around about “how VoIP shouldn’t be used for teleworkers because of security”. Detailed show notes and links are available over on the Blue Box website.

Blue Box podcast #53 is now available covering a range of topics, including a listener’s suggestion for the Skype multiple login issue, Cisco’s IP phone security advisories, network neutrality, EU privacy legislation and, yes, we covered that wacky story about smokers being a threat to VoIP because we just had to… plus the usual listener comments, VOIPSEC review and other VoIP security news. Detailed show notes, links and more over at the Blue Box site.

At O’Reilly’s 2007 Emerging Telephony conference last week in San Francisco, I had the opportunity to give a 15-minute presentation to all attendees about VoIP security. Rather than doing the traditional slideware outlining the threats, tools, best practices, etc., I tried to do something very different and simply tell a story of what could happen if a VoIP system were installed in an insecure manner - and how to go about securing that system. I tried to make it interesting and humorous (something not often tied to VoIP security) and the feedback at the show was quite positive. The audio and slides are now available over at Blue Box and I’d definitely be interested in any feedback you all have about the presentation, either in content or style.

That’s the question Dean Takahashi asks in a column in today’s San Jose Mercury News titled: Wiretapping could stifle VOIP technology. It is not entirely clear to me why Takahashi is writing this today given that there does not seem to be any real “new” news…. but with a headline like that and in the Mercury News, it is bound to get some attention over the next few days. Takahashi points out that US VoIP service providers that connect to the PSTN much comply with the FCC regulation by May 14, 2007 but that pure Internet peer-to-peer/p2p services like Skype are currently exempt. He does provide this teaser:

But it appears from its legal maneuvers that the FBI may also want to find a way to tap peer-to-peer calls, the ones that bypass the telephone system. And the FCC’s analysis of the FBI request suggests it might go along with a move to require wiretapping on any new Internet communications system.

Which leads to the obvious question of how a p2p system would actually do this… which leads to the opinion that some centralization would be required… which leads to the conclusion that this could therefore kill p2p VoIP systems in their true p2p form. The article refers people over to the Center for Democracy and Technology CALEA page where the CDT has copious amounts of info about CALEA (obviously from their point-of-view). Takahashi concludes with:

We have to balance the need to enforce laws with the need to move technology forward and at the same time protect our privacy. If we hobble technology to help law enforcement, we make ourselves vulnerable, not safer.

We faced this kind of issue in the early 1990s, when the debate was about whether to allow encryption technologies strong enough to hide data from the government. The government later decided to allow strong encryption to be used unencumbered, particularly as the technology was allowed overseas. The outcome here may be the same.

Given that VOIPSA is a global organization that encompasses a wide range of companies, people and geographic regions, its not really our place as an organization to wade into the debate of legislation in one particular country. But it is definitely a matter that does merit discussion and attention. There are very legitimate needs by law enforcement. There are also very legitimate privacy concerns - and security concerns. Where do we as nations, companies and individuals strike the balance?

Over on the Best Practices mailing list, I have now issued a last call for comments on the structure of the document. The document structure question is outlined on the Development Process page in the VOIPSA wiki. Right now all signs point to a near-consensus on using proposal #2 to structure the document around functional areas… but I asked yesterday for any final comments.  Barring any last-minute cascade of outrage and desire for another structure, I’ll make the decision tomorrow morning and we’ll get down to work.  Comments can be left here on the blog, if you want, but the best place to probably route them is the mailing list.  Thanks.

Yesterday the VoIP News web site posted a feature article: How Secure Are Your VoIP Calls? It includes quotes from both Jonathan and myself and generally makes the points we’ve made both here and on Blue Box around VoIP security. Overall a good article with only a few minor nits to pick:

• The question I would generally suggest customers ask their enterprise vendor is “What do you do to secure voice communication over the LAN?“
• I don’t know that I would have said enterprise phone systems were “enterprise stuff” but hey, you get the idea.
• In the second bullet at the end, the point is to ensure that call control is encrypted or otherwise protected. Many people first think of encrypting voice because eavesdropping is something easy to understand - and they don’t think about call control. Yet you could argue that call control is perhaps more important because far more devious things can be done if you can corrupt call control.
• Unless he’s holding out on us, Mark Collier does not write the VoIP Lowdown blog that had this list of VoIP security challenges. In fact, if you note, Mark commented on the article (and perhaps because he was the last commenter someone assumed he wrote the blog). Mark actually writes over at www.voipsecurityblog.com (where I note he has a nice new header image and picture) as well as here on this blog once in a while. He actually has a post on his blog pointing over to this list on VoIP Lowdown.
• It’s actually not entirely clear from the post who did write that list at VoIP Lowdown, but on this page it states that the writer was Pushpa Sathish, who is also the person now having a byline on all the new posts since that time (which is good because it will save them this attribution issue in the future).

Again, relatively minor details in the grand scheme of things (although Pushpa Sathish may not appreciate the attribution going to Mark) and a good contribution to the overall conversation on VoIP security.

Thanks, VoIP News, for running the feature story!

Another podcast to note… Canadian analyst Jon Arnold interviewed me for his Canadian thought leaders podcast series all about… gee… VoIP security! (Yes, okay, so I no longer live in Canada, but I did live there for most of 5 years and I still work for a Canadian company.) We had a great chat about VoIPSA, Blue Box, VoIP security in general and my views on some of the current vulnerabilities to VoIP. It runs about 19 minutes or so and you can get it from the link on Jon’s blog.

Blue Box Podcast #47 is now available for download. In this show, Jonathan and I talk about some of the recent articles and reports hyping VoIP security, recent comments from SANS about the need for better VoIP security training, moves by the Indian government to block Skype and other VoIP services and much, much more. Tons of listener comments in this show… probably the most we’ve ever had. See the show notes for all the links and info.

I am pleased to announce that the VOIPSA Best Practices project will be kicking off this week. As noted in the project description, the goal is to gather into one document the core set of “best common practices” that can be used to address the threats to VoIP that were outlined in the VoIP Security Threat Taxonomy project. I’m still making some changes to the wiki in advance of the formal project kickoff, but right now you can subscribe to the best practices email list if you would like to assist in the project. All are welcome, regardless of experience level. If you don’t want to join a mailing list, updates will be posted here on this blog from time to time.