Synopsis:  Blue Box #78: Cisco IP phone vulnerabilties, WiFi handset insecurity, IETF security-related news, VoIP security news, listener comments and more

---

Welcome to Blue Box: The VoIP Security Podcast #78, a 40-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on February 25, 2008. Yes, that was two months ago... we know!

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• new comment line +1-415-830-5439
• Special Edition #23 with Sonus Networks
• Squawk Box podcast about voice phishing – also this article Vishing: The Latest, and Greatest, Security Concern
• Cisco: Cisco Unified IP Phone Overflow and DoS Vulnerabilities and Dustin Trammell’s coverage
• ZDNet: Design flaw in wireless VoIP handsets endanger the enterprise followed by Cisco confirms vulnerability in 7921 WiFi IP phone
• Voice of VOIPSA: Slides about P2PSIP security new available
• Voice of VOIPSA: RUCUS mailing list & BOF
• Voice of VOIPSA: End-to-end VoIP security using DTLS-SRTP
• Also a whole bunch on SIP Identity
• SIP Torture Tests for IPv6 now out in RFC 5118
• SIP Usage Scenarios Similar to SPIT
• SPEERMINT Security BCPs
• SIP Identity Baiting Attack
• Concerns around Applicability of RFC 4474
• VoIP Hopper 0.9.9 released (site ) – Thanks to Frank Leonhardt for the info.
• VoIP News: Is Someone Listening to Your VoIP Calls? (linked to from ZDNet )
• ZDNet: Cracking GSM
• TMCnet- Practicing Safe OCS
• TMCnet- Security Attack of the Day (Tom Cross starts blogging for TMCnet)
• Speaking of Tom, Techtionary.com Releases SIP Security Checklist
• Voice of VOIPSA: SIPTap Author forms VoIP Security Company (by Craig Bowser!)
• Voice of VOIPSA: Underpowered Hardware
• Project Spider – about SPIT
• CBC: Bell recovers stolen data on 3.4 million customers
• Comment (email) from Larry Farmer
• Comment (email) from Shlomo Dubrowin
• Comment (email) about SE #23
• Review of the last week's traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 40:01 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

My apologies for the long delay... we haven't "podfaded". We have several main shows recorded that I'm hoping to get out this week and I've got a host of volunteers ready to help with getting some of our backlog of "Special Edition" shows out... I just have to put the pieces in place so that those volunteers can help! Unfortunately, the process of buying a new home and selling our existing home has severely hit my available time and that's the primary reason for the delays. Within the next month or so that should hopefully all wind down and I can resume the regular activity....

Thanks for your patience!

Synopsis: Blue Box #77: Skype security vulnerability, German gov't looks at trojans, undersea cable cuts, Microsoft and Yahoo, VoIP security news and more

---

Welcome to Blue Box: The VoIP Security Podcast #76, a 36-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on February 4, 2008.

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• new comment line +1-415-830-5439
• Comment (email) from someone looking for VoIP security professional in Connecticut
• SKYPE-SB/2008-002: Skypefind Cross Zone Scripting Vulnerability with discussion in The Register
• The Register: Skype Trojan wiretap plan leaks onto the net
• PC Pro: VoIP stumps spooks
• Skype Journal: The Bavarian Intercept Proves Skype is Secure
• Voice of VoIPSA: More ETSI Security Workshop presentations now available online
• Voice of VOIPSA: Breaking Ciphers on a 5.8MHz Pentium
• Voice of VOIPSA: Raising a RUCUS at IETF 71
• SearchUC: Early adopters of unified communications need to ask about security
• CNN: Third undersea cable cut in Mideast
• US Transport Security Administration now has a blog called the Evolution of Security
• SecureLogix Receives Thirteenth Patent
• Thomas Porter’s 2006 “Practical VoIP Security” book now available as a free download – such as this
• Microsoft offers to buy Yahoo – “tons of coverage” – interesting piece on ZDNet about Google’s response
• Review of the last week's traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 36:19 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

WOW! I don't know that there is much else Jonathan and I can say after the incredible response we've had to our request for production assistance (also in SE#24). The offers started coming in within a few hours of SE#24 going live and I think we're up to 12 people now who have said that they'd help. THANK YOU! We're both overwhelmed and humbled by the many great folks who have offered to help... and also the words they sent our way saying how much the show mattered to them. Thank you! At this point, it would definitely look like we're all set for the moment, so it doesn't appear we need any further assistance. Now we just have to get set up to make use of all the offers that have come in! Stay tuned for more info - and more shows!

Technorati Tags: blue box, bluebox

As we discuss in Blue Box Special Edition #24, we find ourselves in a bit of a dilemma. With each conference/show that we go to, we accumulate more great recordings of interviews that we do, panel sessions we record and other similar sessions. The goal is to turn these into "Special Edition" podcasts that we can make available in the podcast feed. We have two shows coming up this month, VoiceCon and VON, where we will record more sessions and interviews. Additionally, we do get requests to interview people that sometimes are quite interesting.

The problem we have is finding the time to do the post-production on the recordings to turn them into podcasts. We could, of course, just slap a generic intro and outro on a recording and throw it out there in the feed... but I think you all know that we don't want to waste your time! For instance, including the Q&A portion of a panel session where you can't hear the audience questions is pretty useless. Or including the part of the interview where announcements came over an intercom and you can't hear the interviewee is rather silly. So we want to take the time to go through a recording and see how we can "tighten it up". Remove breaks or big gaps of silence... speakers setting up laptops... interruptions to interviews etc. We don't remove every "um" or pause... we do want it to feel natural, after all, but we try to edit out the big gaps, errors, interruptions, etc.

The challenge of course is that to do this you have to listen all the way through a podcast, editing along the way. Sometimes you don't have to make many edits at all. Sometimes there a bunch of things to edit out. But it takes time... if the panel is 45 minutes you've got to have at least that much time (and probably double if you do much editing and keep stopping/starting). Unfortunately time is something neither Jonathan nor I are finding a whole lot of these days. I now have a queue of probably 10 or 12 recordings we've made over the past 6 months that are just sitting there waiting for me to get the cycles to turn them into Special Editions. Some are 20-minute interviews. Some are 45-minute or hour-long panels from conferences.

So therefore our request in show #24:

we're looking for a few good production assistants!

What we'd love to do is to find a couple of people who would be willing to work this way:

• I get to you the WAV file of the recording as well as the intro/outro.
• You edit the file in whatever audio tool you prefer: Audacity, Garage Band, SoundForge, whatever... (I use Audacity)
• When you are done, you export to a MP3 and get the MP3 to me.
• I do a final check, set the ID3 tags, etc. and upload the MP3 file, create the show notes, etc.

The good news about most of the recordings we make is that they are not overly time-sensitive. We want them up as soon as we can, but if it takes some time to do the post-production as you fit it in around other work, that's generally perfectly fine.

Obviously if you have experience with audio editing that's great. If it's something you've been interested to try your hand with, we're open to having you give it a try. (Please do realize that I'm a control-freak and audio quality stickler, so it's a new thing for me to even *consider* letting other people work on our files... but I've reached the point where I think it's more important to get the content *out*! So I'm willing to try it out... :-)

We can't offer you any money or anything like that (this is a labor of passion, not profit!) but we're certainly glad to give credit in show notes, Blue Box website, etc. You'll also be helping the greater community of security professionals interested in VoIP by getting more content out there in a more rapid manner. (i.e. faster than if we're waiting for me!) You may also gain skills in audio production (if you don't already have them) that may assist you in other endeavors.

Anyway, if you are interested, drop us an email with the subject line "Production assistance" and with a little bit of background about yourself. Sometime in the next week or two (probably after March 20th) we'll start seeing what we can do if there are people interested.

Thanks - and thanks for your patience, too.

Dan & Jonathan

Synopsis: Special Edition #24: An Update on Blue Box, upcoming shows and a request regarding production assistance

---

Welcome to Blue Box: The VoIP Security Podcast Special Edition #24, a 17-minute update on the status of Blue Box episodes, the shows we are attending and a request regarding production assistance.

Download the show here (MP3, 8MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

---

Show Content:

In this special edition, we provide an update on the status of Blue Box episodes and our travel schedule over the next few weeks.  Specifically:

• IETF-71, March 10-14, Philadelphia, PA, USA
  
  • Dan will be at IETF 71 next week attending the sessions related to Real-time Applications and Infrastructure (RAI)
  • There will be audio streaming and IM chatrooms if you you would like to listen in to IETF sessions. Watch the VOIPSA blog for more information.

• VON.x, March 17-20, San Jose, CA, USA
  • Jonathan will be attending
  • The will be a dinner on Tuesday evening, March 18th, hosted by Dean Elwood to which Blue Box listeners are invited. Please RSVP by this coming Wednesday, March 12th, preferably in the Facebook event or if you avoid Facebook via email to Dean. Jonathan will be there as well as Martyn Davies and a number of VoIP bloggers and other interesting folks.

• VoiceCon Orlando, March 17-20, Orlando, FL, USA
  • Dan will be attending and moderating two panels (voip security and open source) and participating in a keynote panel on social networking and enterprise communications.
  • Dan is looking to set up a dinner, probably on Tuesday evening. Watch the blog for more info.
  • Longtime listener and commenter Craig Bowser will also be there.

We also discussed the challenges we are experiencing finding the time to do post-production on all the recordings we are making of interviews and panels to turn them into Special Editions. To that end, we are wondering if any listeners would be willing to assist in the post-production of some of these recordings. More information is available on the Blue Box website (and obviously in the podcast).

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Synopsis: Blue Box #76: Cisco, Skype and BT vulnerabilities, when SIP looks like SPIT, VoIP security threat predictions and the FBI forgets to pay their bills, plus listener comments and more...

---

Welcome to Blue Box: The VoIP Security Podcast #76, a 38-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• new comment line +1-415-830-5439
• Cisco: Cisco Unified Communications Manager CTL Provider Heap Overflow
• Skype: SKYPE-SB/2008-001: Skype Cross Zone Scripting Vulnerability – coverage in Skype blog and ComputerWorld article
• GNUcitizen: BT Home Call Jacking also mentioned in VOIPSEC message – coverage in PC World and The Register
• Voice of VOIPSA: SIP Security slides at ETSI event
• Voice of VOIPSA: How do you differentiate between legitimate SIP usage and SPIT? pointing to Dan’s Internet-Draft document
• RFC 5039 on SIP and Spam
• Sipera “news release on Top 5 VoIP Threat Predictions of 2008 – coverage in The Register: 2008 – the year VoIP gets hacked? and IT Business Edge: VoIP Security Still Falling Short
• SearchSecurity.com: Enterprise security in 2008: Addressing emerging threats like VoIP and virtualization
• C|Net blogs: Can terrorists use the Net to avoid wiretaps?

FBI Wiretaps dropped due to unpaid bills

• CityCell joins rivals forced to pay up for VoIP infringements
• Comment (email) from someone looking for VoIP security professional in Connecticut
• Comment (email) from Shlomo Dubrowin
• Review of the last week's traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 38:09 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

If any of you reading this are at the Mobile World Congress (formerly "3GSM") in Barcelona, Spain, this week, Jonathan is there as well. If you are there, please do drop him an email as (schedule permitting) he is always interested to meet up with listeners and others interested in VoIP security.

Technorati Tags: mobile world congress, 3gsm, jonathan zar, voip, voip security, voipsa

Synopsis: Interview with Bob Bradley of Sonus Networks

---

Welcome to Blue Box: The VoIP Security Podcast Special Edition #23, a 19-minute interview with Bill Bradley, Product Line Manager for Security Solutions at Sonus Networks.  Recorded at Fall VON in Boston at the end of October 2007.

Download the show here (MP3, 9MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

---

Show Content:

In this Special Edition, I sat down with Bob Bradley, Product Line Manager for Security Solutions at Sonus Networks to talk about their products and how they protect VoIP and other traffic. In particular we discussed the Sonus Network Border Switch including how it fits into network installations and how it is different from other similar products on the market.  We also covered some general issues around SIP security and talked about the company in general.

I will candidly admit that I was not very aware of Sonus' solutions prior to this podcast, but since this time I've found their products running in a range of places I had not noticed them before.  I believe you all will find this a useful introduction to an interesting company and useful solutions.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Synopsis: Blue Box #75: Asterisk vulnerability, SANS paper on VoIP security, SPIT, tons of listener comments and much more...

---

Welcome to Blue Box: The VoIP Security Podcast #75, a 38-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• new comment line +1-415-830-5439
• AST-2008-001: Remote Crash Vulnerability in SIP channel driver
• Voice of VOIPSA: IETF seeking feedback on ‘Requirements from SIP Session Border Controller Deployments’
• SANS paper on VoIP Security pointing to actual paper
• ComputerWorld: Security dominates 2008 IT agenda
• TechCentral.ie: Coming Together – 8 for 2008
• SecurityPark: IT managers complacent about VoIP infrastructure security threats
• TechRepublic: SPAM and SPIT: what are the dangers? pointing to Does UC present new opportunities for spammers?
• VoIP-News: The VoIP-News Top 25 VoIP Blogs of 2007
• List of VoIP Hacking software
• ITworld.com: IT job skills that matter now (see the first line of the sidebar)
• Comment (audio) from Frank Leonhardt
• Comment (blog) from Raffi
  welcome_to_blue.html#comment-96147586 about Blue Box #73
• Comment (blog) from Aswath
• Comment (email) from Ben Penson
• Comment (email) from Shawn Merdinger
• Comment (email) from Jon Farmer
• Comment (email) from Shlomo Dubrowin
• Comment (email) from someone seeking assistance in southern California
• Review of the last week's traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 43:57 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: Blue Box #74: 2008 Crystal Ball Edition, Asterisk and Trixbox vulnerabilities, top 10 lists, VoIP security trends for 2008 and more....

---

Welcome to Blue Box: The VoIP Security Podcast #74, a 44-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• new comment line +1-415-830-5439
• SE 22 with Jonathan Rosenberg
• Asterisk AST-2007-027: Database matching order permits host-based authentication to be ignored
• Voice of VOIPSA: Trixbox contains ‘phone home’ code to retrieve arbitrary commands to execute
• trixbox CE audit tool official statement and fixes
• Audit Tool Change Plan
• Audit tool ‘fix’ being pushed out tonight
• ComputerWorld: VoIP vulnerabilities increasing, but not exploits
• CRN: Top 9 VoIP Threats and Vulnerabilities (Sipera PR strikes again) – points to CRN article: VoIP Threats, Vulnerabilities Abound which is based on press release Sipera VIPER Lab Reveals Top 5 VoIP Vulnerabilities in 2007
• Voice of VOIPSA: Pointers to any audi methodology for forensic analysis of VoIP systems?
• TMC.net: SIP and Security: Just Do It Right!
• PAETEC, Alcatel-Lucent Deploy Industry Leading Disaster Recovery VoIP Solution
• Feature: top stories of 2007 and trends for 2008
• No comments this week.
• Review of the last week's traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 43:57 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: Blue Box #73: SIP security issues at IETF 70, Skype security, vulnerabilities in Cisco and Nokia phones, Vietnam's cyberdissidents, VoIP security news, listener comments and more...

---

Welcome to Blue Box: The VoIP Security Podcast #73, a 44-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

NOTE: This show was recorded on December 11, 2007.

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• Voice of VOIPSA: Skype fixes flaw in Windows version
• Cisco 7940 Denial of Service
• Nokia N95 Remote Denial of Service using the SIP Stack
• Network World: VoIP Security Lessons Microsoft OCS Can Learn From Vonage and Others pointing over to series of posts on the Telecosm blog and the start of a series on VoIP security including DoS and anonymity
• VoIP News: Not Waiting For the Big One
• TechWorld: VoIP is the next big hack (follow up on Peter Cox)
• Globe and Mail: Cyberdissidents weaving along new path
• National Security Agency Certifies New Sectra vIPer Phone by General Dynamics for Top Secret Communications (sent in by Peter Thermos)
• Websense Predicts 2008’s Top Ten Security Threats
• International Telephone Services Company Deploys Secure Computing’s Sidewinder to Protect VoIP Communications
• Feature –  IETF 70
  • IETF 70 Agenda
  • Security a major discussion point
  • Media control – requirements and architecture to need more security work
  • SPEERMINT - Saverio Niccolini will bring security document back through
  • SIPPING - Spam Score and SRTP Key Disclosure and Updates to Asserted Identity – also covered in SPITting in your general direction
  • SIP - Media Identity and DTLS Framework
  • MMUSIC - big news was that ICE is now in the queue to be issued as an RFC
  • BEHAVE - TURN
  • P2PSIP – interesting discussion on NAT in P2P SIP and security in P2P SIP
• Comment (email) from Frank Leonhardt
• Comment (email) from Rhodri Davies
• Comment (email) from Peter Thermos
• Comment (email) from Ben Penson
• Review of the last week's traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 44:28 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: Interview about SIP NAT Traversal with Dr. Jonathan Rosenberg, Cisco Fellow and author of many RFCs and Internet-Drafts related to SIP for the Internet Engineering Task Force (IETF).

---

Welcome to Blue Box: The VoIP Security Podcast Special Edition #20, a 25-minute interview with Dr. Jonathan Rosenberg about SIP and NAT Traversal.  Recorded at Interop New York in October 2007.

Download the show here (MP3, 13MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

---

Show Content:

In this Special Edition, I sat down with Dr. Jonathan Roseberg at Interop New York in October 2007 to talk about SIP NAT Traversal. Jonathan, a Cisco Fellow, has authored many RFCs related to SIP for the Internet Engineering Task Force (IETF) and in fact was a co-author of RFC 3261, the original specification for the SIP protocol.  He is also the author of "The Hitchhiker's Guide to SIP", a document that aims to help people find their way through all the many documents that today make up what we call "SIP".

For the past few years, Jonathan has been extremely involved in the whole issue of SIP and NAT traversal and has authored several of the major Internet-Drafts on the issue.  In this interview, we discuss:

• What the issue is with SIP and NAT traversal
• How ALGs and SBCs attempt to solve the problem
• Methods that have been developed by the IETF, specifically:
  • STUN
  • TURN
  • ICE
• The role of ICE going forward, who is supporting it, etc.

I believe you will find it a very educational session and very helpful in understanding this major issue with regard to SIP.  We thank Jonathan Rosenberg for his time.

If you enjoy this show, we would also suggest you go back and listen to Blue Box Special Edition #20, our interview with Cullen Jennings about SIP security.  The two shows complement each other extremely well and provide a solid understanding of the current state of SIP security.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Here is our new comment line number: +1-415-830-5439.

Here's the story...

To my immense annoyance, it seems that we have once again lost our K7.net call-in number for comments: +1-206-350-7280. That isn't the bad part, really... what annoys me most is that the number still appears to work! You can call it up and leave a message, but if it goes anywhere, it is not going to us! In the past, when we've lost our K7 number, the number has been inactive to some period of time, so callers just got a message saying that the number was no longer in use. Now it appears that the number has been reallocated already - or at least is accepting calls.

So please do not call that number!

I'm going to use this failure as an opportunity to completely drop our usage of K7.net. K7.net is a "unified messaging" service that is widely used by podcasters because it provides a very simple and easy - and free - service: Callers call in to a phone number, leave a message, and then you receive an email with the comment attached as a WAV file. It is great for a podcaster. Simple. Easy. Just works.

However, there is this wee minor little detail that is shown in the terms of service at the bottom of the sign-up page:

If a K7 number is inactive for 30 days (use is determined as a voice message or fax message to that number) , we may terminate the account for non-use.

This has been the bane of many podcaster's existence. If you don't get a call in 30 days, you lose your number. This impacts podcasters, especially, because our shows may live on out there on the Internet for an incredibly long time. You can still download Blue Box podcast #1 from two years ago which has the wrong comment line included (in fact, it is 2 or 3 numbers ago). So losing your number is really quite bad from a community-building point-of-view. If you put out frequent shows and get frequent comments, this usually isn't a problem. However, if you are a show like ours where we've been only doing maybe two shows a month it may be more of a challenge. I know that here in New England, the New England Podcasters group was instituting a "reminder day" where it was a monthly day to call your comment line to be sure you kept it. In any event, we seem to have lost our number.

Now, I can't really complain about the service because it is free and the K7 folks have always been very up front about the termination for non-use clause. All I can really do is find another alternative.

I have now done so. My new employer, Voxeo, has a website for developers called evolution.voxeo.com where you can create voice applications in several different XML variants (VoiceXML, CCXML or Voxeo's own CallXML). You can create a free developer account and with that you can create apps that have their own inbound phone number. For free. Anyone can do so. There is, at least currently, no expiration date or termination clause for non-use (although the terms of use do of course indicate that Voxeo can change or revoke the numbers at any time). So what's the catch? Well, Voxeo hopes that you like to develop apps on our platform so much that ultimately you'll need our hosting services for your applications.

So I've created my own little experiment in the form of a new comment line: +1-415-830-5439.

Right now it's just a computer-generated voice but I'll add in my own prompts soon. Interestingly, this number is also reachable via some other phone numbers:

• Skype: +99000936 9992002622
• FWD: **86919992002622
• SIP: sip:9992002622@sip.voxeo.net

And while we are NOT going to switch from using our SIP "bluebox@voipuser.org" address, it's nice to know that it is available.

Since I know many of our listeners like to know the code underneath things, here is the full text of my "application" that does this:

<?xml version="1.0" encoding="UTF-8"?> 
<callxml version="2.0"> 
<block> 
<text> Thank you for the calling the comment line for Blue Box, The Voice over IP Security Podcast.  Please leave your comment after the tone.  Thank you.</text> 
<recordaudio maxtime="3m" value="mailto:blueboxpodcast@gmail.com?subject= 
Voicemail message - listener comment&fromname= 
Voxeo Messaging&fromaddress= 
dyork@lodestar2.com&body= 
Voicemail message&filename=comments.wav"/> 
</block> 
</callxml>

It uses Voxeo's own CallXML language which was developed before VoiceXML and CCXML (Call Control XML) were standardized. Why did I use CallXML versus VoiceXML and CCXML? Primarily because I wanted to learn CallXML - and also, frankly, because it seemed to have the easiest commands to do what I was trying to do. It basically says a piece of text and then records up to 3 minutes of audio and emails it to our standard comment line. Ta da... same thing as I was doing with K7.net, but without the annoying termination after 30 days of non-use.

Anyway, that's the new number and the story behind it. Hopefully I won't be changing it again anytime soon!

Technorati Tags: blue box, bluebox, k7.net, voxeo

Synopsis: Blue Box #72: Asterisk security vulnerabilities, Skype and the German government, VoIP security news, listener comments and more

---

Welcome to Blue Box: The VoIP Security Podcast #72, a 25-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 11MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

NOTE: This show was recorded on November 30, 2007.

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• - AST-2007-025 – Asterisk – SQL Injection issue in res_config_pgsql
• - AST-2007-026 – Asterisk SQL Injection issue in cdr_pgsql
• - TechWorld: Expert scares world with VoIP hacking proof pointing to SIPtap - Articles also in ComputerWorld
• - Wired: Skype encryption baffles German police – also in The Register and TechDirt
• - VoIP News: Why Nobody’s VoIP is Secure
• - PC World: ‘Swatters’ Trick AT&T’
• - Comment (email) from Shawn Merdinger
• - Comment (email) from Yann Cloatre
• - Comment (email) from Miguel Garcia
• - Comment (email) from Roel Villarius about Dutch spam filter
• - Review of the last week's traffic on the VOIPSEC public mailing list 
• - Wrap-up of the show
• 25:27 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-7280 +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.