Synopsis: Interview with Geoff Devine from Cedar Point Communications about the security of VoIP over cable networks, VoIP security news and much more

Welcome to Blue Box: The VoIP Security Podcast show #19, a 63-minute podcast  from Dan York and Jonathan Zar around news and commentary in the world of VoIP security.  This show features a 36-minute interview with Geoff Devine from Cedar Point Communications about security of VoIP over cable networks.  As usual, the show also features news and comments from listeners.

Download the show here (MP3, 33MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners.  Mention of Frappr map for the show.  Please join the map!
• 01:59 – Per Mark Collier the  Jonathan Collier term paper was a forgery.  Unfortunately, the term paper is a blatant plagarism of Mark’s earlier article.
• 06:07 – Irwin Lazar has made his presentation available from his webcast
• 06:48 – TMC.net: Sipera Launches VoIP Security Product and Sipera news release
• 08:08 – VoIP Magazine: SecureLogix CTO to Discuss Best Practices in Securing VoIP Networks
• 08:31 – Mark Collier launches his own VoIP Security Blog
• 08:58 – InsideBayArea.com (AP story) Caller ID not as reliable as you think  (also WombatNation blog entry )
• 12:16 – SecurityWatch blog: VoIP not that popular in the UK which points to BBC article:  Hanging on the Internet telephone
• 12:59 – Report on SANS/Nortel webcast last week about VoIP security
• 13:40 – News release: Mitel: MedQuist Virtual Workforce on the job through Mitel Technology
• 14:03 – Mitel: Foundry Networks and Mitel Expand Partnership with Advanced Open VoIP Solutions
• 15:02 – Upcoming conferences – anyone interested in reporting from any of the upcoming shows?
• 16:44 – Feature interview with Geoff Devine from Cedar Point Communications about the security of VoIP over cable.  Interesting glimpse into the world of cable systems and the PacketCable series of standards, including how security really works on cable systems.
• 53:30 – End of interview and brief discussion.
• 55:19 – Comment from "ponyboy" who also has a show called BellCoreRadio on DDP HackRadio Saturday nights at 8pm
• 56:47 – Comment from Shawn Merdinger on start of investigation into Linksys WIP300 WiFi handset
• 57:31 – Comment from Bruce Stewart on ETel coverage
• 58:05 – Comment from Martyn Davies on voice quality
• 59:07 – Review of the last week’s traffic on the VOIPSEC public mailing list. Large amount of interesting traffic on topics including security tools, books, links and more
• 60:54 – Note that Chris Martin is looking for questions for a new poll at SIP1.com
• 61:36 – Wrap-up, info about how to leave comments, upcoming shows, etc.
• 62:48 – End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Synopsis: Tutorial on SPam over Internet Telephony (SPIT), discussion around Microsoft and Cisco’s competing network security proposals (NAC vs NAP), VoIP security news and much more

Welcome to Blue Box: The VoIP Security Podcast show #18, a 36-minute podcast  from Dan York and Jonathan Zar around news and commentary in the world of VoIP security.  This show features a mini-tutorial on SPam over Internet Telephony (SPIT) and includes a guest commentary from Rick Robinson. The show also includes a brief discussion of the different competing architectures put forward by Microsoft and Cisco for controlling access to the network.  The show also features the usual news and comments from listeners.

Download the show here (MP3, 33MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners.  Mention of Frappr map for the show.  Please join the map!
• 03:20 – A note about the dates we put at the beginning of shows
• 04:10 – Burton Group/Cisco webinar  – recording available  (but you seem to have to have been already set up with Interwise’s software)
• 05:07 – TMC.Net: Patton Electronics: New SmartNode VoIP More Secure
• 05:31 –SANS/Nortel webcast on Wednesday about VoIP security  (someone from TippingPoint in there as well)
• 06:08 – If you like this podcast, you may also like Steve Gibson’s "SecurityNow" podcasts, and in particular these:
  • How the Internet Works, Part 1
  • How the Internet Works, Part 2
  • How Local Area Networks Work, Part 1
• 08:39 – Upcoming conferences – anyone interested in reporting from Berlin?  (Who will already be there)
• 09:32 – Introduction into our tutorial on SPam for Internet Telephony, aka "SPIT".
• 10:33 – Commentary on SPIT by Rick Robinson
• 14:07 – Further discussion and examples of SPIT
• 21:19 – Discussion on different competing architectures from Microsoft and Cisco related to network access, primarily building on this Network World article: Microsoft, Cisco, not in sync on security
• 27:04 – Comments – Vash-media: security podcasts
• 28:54 – Review of the last week’s traffic on the VOIPSEC public mailing list. Large amount of interesting traffic on topics including:
  • Using VoIP over SSL VPNs
  • tunnelling all traffic over IPSEC versus separately encrypting signalling and media
  • which vendors are really using SRTP in their phones
  • using softphones with TLS and OpenSER
• 31:07 – Note that all Emerging Telephony shows have now been posted
• 31:24 – Question for the audience: we have been approached about more formally tying the show to the VoIP Security Alliance (VOIPSA)? Is this a good thing?  bad thing? does anyone care?
• 33:11 – Looking for some folks interested in coming on the show to debate whether or not you should firewall off IP-PBXs from the internal network – interested in joining the PRO or CON side of the debate?  Email us and let us know.
• 34:45 – Wrap-up, info about how to leave comments, upcoming shows, etc.
• 35:57 – End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Synopsis: Interview/tutorial with Per Cederqvist about sdescriptions, VoIP security news and much more

Welcome to Blue Box: The VoIP Security Podcast show #17, a 41-minute podcast  from Dan York and Jonathan Zar around news and commentary in the world of VoIP security.  This show features an interview/tutorial with Per Cederqvist about the ‘sdescriptions’ method of SRTP key exchange. The show also includes a brief segment with folks from NetIQ as well as the usual news and comments from listeners.

Download the show here (MP3, 38MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners.  Mention of Frappr map for the show.  Please join the map!
• 01:59 – Unstrung: WiFi Voice: How safe? and Five WiFi VOIP Security Issues
• 03:50 – Network World: Network security is the key to keeping VoIP secure  and again on 2/20?
• 06:52 – IT Business Edge: A Multi-Layered Approach to VoIP Security  (Q&A with former guest Steve Mank of Qovia)
• 07:09 – Discussion about the RSA Conference that Jonathan attended
• 11:32 – Feature interview with Per Cederqvist of Ingate systems about the "sdescriptions" method of SRTP key exchange. He provided a great introduction to the protocol and explained both the positive and negative sides of using it.  The interview included:
  • Background on Ingate, his role, etc.
  • sdescriptions background, rationale
  • standards status, industry support
  • differences from MIKEY
  • importance of SSL/TLS
  • encryption used
  • reference implementations?
  • interoperability – contact Per at "ceder@ingate.com" if you are interested in interop testing
  • 21:40 end of interview
• 22:00 – Comment section – Shawn Merdinger
• 22:49 – audio comment from Martyn Davies
• 25:49 – inquiry from a radio station about comment line software
• 26:53 – Brief interview with Jeff Hicks and Randy Rosenbaum about their news release – NetIQ Unveils First Integrated Systems and Security Management Solution for VoIP (See also this Network World article)
• 38:53 – Review of the last week’s traffic on the VOIPSEC public mailing list…. there was none!  Quiet week on the mailing list, but that is sure to change.
• 39:27 – Final comments, wrap-up of show, upcoming conferences, how to give comments, etc.
• 41:00 – End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Synopsis: Interview with Alec Saunders, CEO and "Relevance Revolutionary" of Iotum about security and privacy as they relate to Iotum’s new relevance engine. The interview was recorded at O’Reilly’s Emerging Telephony Conference in January 2006.

Welcome a special edition of Blue Box: The VoIP Security Podcast from the floor of the Emerging Telephony Conference in San Francisco, CA. Every now and then startups emerge that are just doing things that I personally find interesting.  Iotum is one of those companies.  The main thing they are focused on is making communication more relevant to you… as they say on their home page:

iotum is the world’s first smart platform that lets you control who reaches you and how. Get the calls you want, where you want, and avoid those you don’t.

As I came to know more about the company, I was curious to know about how they handled securely gathering all the context information about you and how they preserved the privacy. So out at ETel 2006 I sat down with Iotum CEO Alec Saunders to talk about what Iotum is doing and issues around security and privacy.  In this interview, we covered those points and also ranged into a wide variety of other privacy-related issues such as GPS and cellphones in Japan, social issues around privacy and other points.  While it is a bit outside the realm of topics we normally cover, I hope you find it as interesting as I did.

If you would like to learn more about Iotum, Alec Saunders also maintains his own weblog where he writes on Iotum, VoIP and other topics. I’ll also note that Alec’s "mug shot" photo is not from any recent trip to jail but rather from a bit of fun the company had creating images for all the company members.  (Ahh, the things you can do as a startup…)

Download the show here (MP3, 18MB) or subscribe to the RSS feed to download the show automatically.  The interview runs about 20 minutes.

You may also listen to this podcast right now:

NOTE: This is the last of the interviews and shows coming out of ETel 2006.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.
Audio comments sent as attached MP3 files are definitely welcome and
will be played in future shows.  You may also call the listener comment
line at +1-206-338-6654 to leave a comment there.

Synopsis: Interview with Nick Frost from the Information Security Forum about his recent VoIP security report, news of upcoming shows, VoIP security news and much more

Welcome to Blue Box: The VoIP Security Podcast show #16, a 69-minute podcast  from Dan York and Jonathan Zar around news and commentary in the world of VoIP security.  This show features a 23-minute interview with Nick Frost from the Information Security Forum about his recent VoIP report. The show also includes brief segments from Irwin Lazar on an upcoming webcast, Carl Ford about VON and the usual news and comments from listeners.

Download the show here (MP3, 65MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners.  Mention of Frappr map for the show.  Please join the map! Also included mention of upcoming interviews:
  • Feb 20– Per Cederqvist of Ingate systems on to talk about ‘sdescriptions’ key exchange
  • Someone on security over packet cable systems
• 04:07 – News section – update on Cambridge/MIT CRN storied covered in show #15
• 04:51 – Shawn Merdinger has a new site for VoIP outages: http://voip-outage.blogspot.com/
• 05:11 – Paper: Using An E-Model Implementation to Evaluate
  Speech Quality in Voice over 802.11b Networks with VPN/IPSec  – Alexandre Passitoand team, Federal University of Amazonas, Brazil
• 06:12 – SIP Wiki: SIP Security and SPAM Prevention
• 06:54 – VON Online: Listening to VoIP Security  (Doug Mohney)
• 07:19 – Digital Connect: VoIP Group Answers the Call
• 07:43 – Bruce Stewart over at ETel blog points to Telecom Terms and Concepts which points to a Sean Walburg article

• 08:48 – Print version of SIP Magazine:
  article by Erik Lagerway, article on “SIP: Enabling the Hidden
  Potential of VoIP”, advertisement by http://www.pbxnsip.com/ “Of course
  your next PBX will be based on SIP. But will it be secure?”
• 10:03 – Jajah launches new phone service  (sent in by Shawn Merdinger). Additional coverage:
• ExtremeVoIP: VOIP Startup Isn’t Quite Spyware, But It’s Close
• SkypeJournal: Shall I connect you to Microsoft?
• Turn2VoIP
• PhoneAddict
• 14:13 – Upcoming VoIP conferences:
• June 1-2, DC, Workshop on VoIP security by Cybersecurity Industry Alliance and tekVizion – free to US gov, $195 for others
• June 1-2, Berlin, Third Annual VoIP Security Workshop
• 15:50 – News releases:
• NetIQ: NetIQ Unveils First Integrated Systems and Security Management Solution for VoIP
• Internet Telephony: Netrake Announces Revolutionary Fixed-Mobile Security Solution
• 17:28 – Feature interview with Nick Frost from the Information Security Forum about the report the ISF released about VoIP security back in December 2005 (and mentioned on show #8).
  Nick, who authored the ISF report, discussed a wide range of issues including:
  • background on the ISF and what it is
  • how an organization can become a member
  • why the report was created
  • major security conclusions out of the report
  • report methodology
  • surprising findings
  • major VoIP security concerns by ISF members

  It was an interesting interview and we thank Nick for coming on the show.

• 40:33 – End of interview
• 40:44 – Irwin Lazar on his his upcoming VoIP security webcast
• 43:03 – Comment section – Aswath on NAT
• 46:31 – Dean Elwood on secure SIP client
• 47:21 – Jake Opie on transcripts
• 48:72 – Gwynn Lewis on podcaststyle.com
• 49:33 – Preview of Spring VON 2006 with Carl Ford of Pulvermedia
• 61:50 Review of the last week’s traffic on the VOIPSEC public mailing list. Much discussion on a wide range of topics, including: continued discussion around Phil Zimmermann’s ideas, firewalls and NAT, configuring windows messenger 5.1 with TLS, configuring minisip with TLS, VoIP performance testing, QoS impacts due to security, CFP for Third Workshop in Berlin, tools to generate H.323 traffic to simulate attacks, request for voice analysis tools, MIDCOM info – who is using it,why you can’t just turn a firewall into a SBC
• 63:28 – Wrapup of the show:  final comments, note about flash MP3 player on the website, upcoming shows, notes about contributing, information
  about how to provide comments.
• 69:00 – End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Synopsis: Interview with Scott Lawrence of Pingtel who is the project coordinator for the open source  sipX PBX and lead engineer for Pingtel’s commercial SIPxchange version of the open source PBX.  The interview was recorded at O’Reilly’s Emerging Telephony Conference in January 2006.

Welcome a special edition of Blue Box: The VoIP Security Podcast from the floor of the Emerging Telephony Conference in San Francisco, CA. In this interview with Scott Lawrence of Pingtel, the project coordinator for the open source  sipX PBX and lead engineer for Pingtel’s commercial SIPxchange version, we spoke a bit about Pingtel’s products, but mostly talked about SIP security mechanisms and the challenges around securing SIP along with his dire predictions about SPIT. We also discussed a couple of the other projects hosted at SIPFoundry.org.  It was an enjoyable and fascinating interview and we thank Scott for taking the time to speak with us.

Download the show here (MP3, 32MB) or subscribe to the RSS feed to download the show automatically.  The show runs about 35 minutes.

You may also listen to this podcast right now:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.
Audio comments sent as attached MP3 files are definitely welcome and
will be played in future shows.  You may also call the listener comment
line at +1-206-338-6654 to leave a comment there.

Synopsis: Interview with Alex Pavlovsky, President of RanchNetworks, and Mark Spencer, President of Digium and creator of Asterisk, at O’Reilly’s Emerging Telephony Conference on January 26, 2006

Welcome a special edition of Blue Box: The VoIP Security Podcast from the floor of the Emerging Telephony Conference in San Francisco, CA. In this interview with Alex Pavlovsky, President of RanchNetworks, and Mark Spencer, President of Digium and creator of Asterisk, we spoke about the RanchNetworks / Digium news release announcing a partnership between the two companies where code now included in Asterisk allows control of Ranch Networks’ firewall devices.  More links:

• Ranch Networks page on Asterisk
• Tom Keating on the news release

After discussing the announcement, the conversation continued into a discussion of the IAX protocol, the differences between it and SIP, advantages of IAX, firewall traversal, security issues and other matters.

We thank both Mark Spencer and Alex Pavlovsky for taking the time to speak with us.

Download the show here (MP3, 29MB) or subscribe to the RSS feed to download the show automatically.  The show runs about 32 minutes.

You may also listen to this podcast right now:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.
Audio comments sent as attached MP3 files are definitely welcome and
will be played in future shows.  You may also call the listener comment
line at +1-206-338-6654 to leave a comment there.

Synopsis: Interview about Avaya teleworker solution, reports from Internet Telephony conference, VoIP security news and much more

Welcome to Blue Box: The VoIP Security Podcast show #15, a 61-minute podcast  from Dan York and Jonathan Zar around news and commentary in the world of VoIP security.  This show features a 20-minute interview with Rick Robinson and Jerry Ryan from Avaya about their new teleworker solution.  The show also includes reports from the recent Internet Telephony Conference and Exposition held in January in Florida.

Download the show here (MP3, 57MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners.  Mention of Frappr map for the show.  Please join the map! Also included mention of upcoming interviews:
  • Feb 6 – Nick Frost, author of Information Security Forum report mentioned in #8
  • Feb 20– Per Cederqvist of Ingate systems on to talk about ‘sdescriptions’ key exchange
• 02:18 – News Section: MIT/Cambrige CRN:  Communications experts warn against touching the VoIP  (Page also available cached by Google) Many links pointing to the story – two examples are the stories in PCPro UK and The Register
• 05:17 – News about Tom Ridge keynote at Internet Telephony conference. Two examples: Computer Business Review – VoIP critical to US security says former DHS chief and ZDNet: Tom Ridge: gotta love VoIP, but intercepts are necessary
• 06:53 – TMC.net: NetClarity Offers Free VoIP Security Test (and NetClarity press release ) – also news release: NetClarity’s CTO to Discuss VoIP Security at Internet Telephony
• 07:22 – NewsFactor:  Avaya, Juniper partner on enterprise communications
• 07:50 – TMC Net:  A Proactive, Systems-Level Approach to VoIP Security
• 08:37 – Computer Business Review Online: Borderware Building Business on VoIP, Outbound Security
• 08:53 – CIO Australia: Dial VoIP for Vulnerability
• 09:40 – VoIP Magazine: VOIPSA Threat Taxonomy Summary written by Mark Collier
• 10:16 – VoIP Magazine: Zimmermann to Release VoIP Encryption Software and Interview with Phil Zimmermann
• 13:32 – Continuity Central: Emerging threats 2006: VoIP
• 14:31 –InfoSecurity Europe 2006 – April 26-27 in London
• 14:50 – Corrent Announces VoIP Security Gateway for Service Providers
• 14:55 – XConnect and Kayote Networks awarded First MSO National VoIP Peering Project
• 15:25 – Webtorials.com announces two Lucent white papers on VoIP Security
• 15:31 – Skype now has a a Security Blog  (tip of the hat to Irwin Lazar)
• 16:43 – Feature interview with Rick Robinson and Jerry Ryan of Avaya about their new "VPNremote" teleworker set (announced in December in this Avaya news release and discussed in this Information Week article). Topics discussed include:
  • Background on announcement, development
  • Configuration, form factor
  • Quality of service
  • Security of second port, authentication, physical security
  • Hurricane Katrina relief effort
  • Usage scenarios
  • Advantages, disadvantages, joys of teleworking
  • Pricing and future plans
  • 36:32 – end of interview
• 36:50 – Discussion of Internet Telephony conference  with report in from listener Steve Blair about his experience at the show
• 41:10 – Jonathan reports on the panels he moderated at the conference
• 45:54 – Mention of ACLU lawsuit against NSA spying and their "Eavesdropping 101" piece that mentions VoIP security.  Longer discussion on lawful intercept issues.
• 48:45 – We will both be out at the RSA Conference next week.  If you are going to be there, drop us a note!
• 49:35 – Comment section – Comments from Stephen Kramer, puneet, Brian Honan, Shawn Merdinger, Craig Bowser, Christine Herren, The Pod Lounge, Big Wave Dave, Leslie Asamoa-Krodua.
• 56:55 – Review of the last week’s traffic on the VOIPSEC public mailing list. It was a quiet week with the only real traffic being Chris Martin’s request for SBC-related questions for an upcoming poll and then a recent discussion of Phil Zimmermann’s proposals.
• 58:16 – Wrapup of the show:  final comments, mention of picture on the website, upcoming shows, notes about contributing, information about how to provide comments.
• 61:21 – End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Thank you for listening and please do let us know what you think of the show.