Synopsis: Presentation by Phil Zimmerman at O’Reilly’s Emerging Telephony Conference on January 26, 2006

Welcome a special edition of Blue Box: The VoIP Security Podcast from the floor of the Emerging Telephony Conference in San Francisco, CA.  In this presentation, Phil Zimmermann, creator of PGP, outlines his ideas and plans for a new way to encrypt VoIP conversations.  His new software, currently called "zFone", will be available in early March for beta testing.  Updates and information will be available from his website at http://www.philzimmermann.com/.  A quote:

I would like to do for VoIP what I did for e-mail… I’d like to make it possible for you to whisper in someone’s ear – even if their ear is thousands of miles away.

We thank Phil Zimmermann and the great team at O’Reilly for giving us permission to make this recording available to you all.

Download the show here (MP3, 22MB) or subscribe to the RSS feed to download the show automatically.  The show runs about 23 minutes.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.
Audio comments sent as attached MP3 files are definitely welcome and
will be played in future shows.  You may also call the listener comment
line at +1-206-338-6654 to leave a comment there.

Synopsis: Interview with Shawn Merdinger about WiFi phone vulnerabilities, VoIP security, comments, news, VOIPSEC review

Welcome to Blue Box: The VoIP Security Podcast show #13, a 35-minute podcast  from Dan York and Jonathan Zar around news and commentary in the world of VoIP security. This show primarily features an 29-minute interview with Shawn Merdinger, an independent security researcher focused on the security of WiFi SIP handsets.

Download the show here (MP3, 33MB) or subscribe to the RSS feed to download the show automatically.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners.  Mention of Frappr map for the show.  Please join the map!
• Upcoming interviews:
• Jan 30 – Rick Robinson and Jerry Ryan at Avaya about their teleworker set (mentioned in show #8)
• Feb 6 – Nick Frost, author of Information Security Forum report mentioned in #8
• Feb 20– Per Cederqvist of Ingate systems on to talk about ‘sdescriptions’ key exchange
• Upcoming events – Dan will be attending O’Reilly’s Emerging Telephony Conference in San Francisco January 24-26. If you are also planning to be there, please drop us an e-mail.  Jonathan will now be attending Internet Telephony happening at the same time in Florida.  If you are also interested in sending in a report, check out the details on the show blog.
• 02:05 – Feature interview with Shawn Merdinger,  a security researcher now employed by the Tipping Point division of 3Com.  He was previously a security researcher at Cisco and as an independent security researcher started an investigation into the security of WiFi handsets.

  On the weekend of January 13-15, he attended Shmoocon 2006, a hacker conference in Washington, DC, and presented a talk entitled “VoIP WiFi Phone Handset Security Analysis: We’ve met the enemy…and they built our stuff?!?” (his Shmoocon presentation is available for download here)  Following that, on Monday, January 16, 2006, he released advisories to the ‘full-disclosure’ mailing list outlining the vulnerabilities that he found in six SIP WiFi handsets:

  • ACT P202S VoIP wireless phone multiple undocumented ports/services
  • Senao SI-7800H VoIP wireless phone wdbrpc debug service UDP/17185
  • Clipcomm CPW-100E VoIP wireless handset phone open debug service TCP/60023
  • MPM HP-180W VoIP wireless desktop phone undocumented port UDP/9090
  • ZyXel P2000W (Version 2) VoIP wireless phone undocumented port UDP/9090
  • Clipcomm CP-100E VoIP wireless desktop phone open debug service TCP/60023

  We spoke with Shawn at length in a wide-ranging interview that covered topics such as:

  • Background – why did he start the project?

  • Vendor notification program

  • Future plans for further testing?  Methodology?
  • A POP e-mail client on a SIP phone?
  • Test methodology?  Access to manuals?
  • Implications for users of WiFi phones
  • Reactions from affected vendors
  • Summary of vulnerabilities
  • Timeframe for next release?
  • Advice to companies for working with independent security researchers
  • Business opportunities around helping companies work with security researchers
  • Applying this research to the VoIPSA Threat Taxonomy
  • What people and companies can do to help in his research
  • 30:38 – End of interview

  It was quite an enjoyable interview and we commend Shawn for the responsible manner in which he is interacting with vendors and his efforts to educate others about doing the same.  If you would like to assist Shawn in his efforts, by for instance providing WiFi phones for testing, Shawn can be reached at shawnmer@io.com.

• 30:43 – News section: Vulnerabilties:
  • Cisco Call Manager Privilege Elevation
  • Cisco Call Manager DoS
• 31:27 – News section: Articles:
  • Skype Journal: BW: Skype caves in to Chinese censors
  • Business Week: The Great Firewall of China
  • ZDNet Blog: George Ou: Skype 2.0 looks like a virus
  • ZDNet Blog: Russell Shaw: Why pay $2,995 for VoIP security advice? I have a better idea (about Jeremy Casteel’s term paper)
• 32:28 – Vikram, our listener who listens to us in the traffic jams of Bombay, cued us in to this new release of Asterisk: Asterisk releases 1.2.2 which refers to new functionality delivered in conjunction with Ranch Networks  (As it happens, Dan will be interviewing Asterisk co-founder Mark Spencer and someone from Ranch Networks out at ETel and we will have that interview as a show.)
• 33:50 – Wrapup of the show:  upcoming shows, notes about contributing, information about how to provide comments.
• 35:43 – End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Download the show here (MP3, 33MB) or subscribe to the RSS feed to download the show automatically.

Thank you for listening and please do let us know what you think of the show.

Synopsis: VoIP security news, WiFi phone vulnerabilities, comments, news, VOIPSEC review

Welcome to Blue Box: The VoIP Security Podcast show #12, a 55-minute podcast  from Dan York and Jonathan Zar around news and commentary in the world of VoIP security. This show also features an 15-minute interview with Bogdan Materna, CTO and co-founder of VoIPShield Systems

Download the show here (MP3, 50MB) or subscribe to the RSS feed to download the show automatically.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners.  Mention of Frappr map for the show.  Please join the map!
• 01:33 – Upcoming interviews:
• soon – Shawn Merdinger about WiFi handset vulnerabilities
• Jan 30 – Rick Robinson at Avaya about their teleworker set (back in show #8)
• Feb 6 – Nick Frost, author of Information Security Forum report mentioned in #8
• Feb 20– Per Cederqvist of Ingate systems on to talk about ‘sdescriptions’ key exchange
• 02:46 – Upcoming events – Dan will be attending O’Reilly’s Emerging Telephony Conference in San Francisco January 24-26. If you are also planning to be there, please drop us an e-mail.  Jonathan will now be attending Internet Telephony happening at the same time in Florida.  If you are also interested in sending in a report, check out the details on the show blog.
• 04:06 – Apology and explanation about problems with show #10
• 04:31 – News section: Vulnerabilities – eStara Softphone Remote Buffer Overflow FSIRT post – solved in 3.0.1.47 per msg to VOIPSEC mailing list
• 05:49 – Cisco 7940 IP Phone Reboot DoS – milw0rm.com exploit and Cisco response
• 06:33 – WiFi SIP handset vulnerabilities from Shawn Merdinger at Shmoocon:
• ACT P202S VoIP wireless phone multiple undocumented ports/services
• Senao SI-7800H VoIP wireless phone wdbrpc debug service UDP/17185
• Clipcomm CPW-100E VoIP wireless handset phone open debug service TCP/60023
• MPM HP-180W VoIP wireless desktop phone undocumented port UDP/9090
• ZyXel P2000W (Version 2) VoIP wireless phone undocumented port UDP/9090
• Clipcomm CP-100E VoIP wireless desktop phone open debug service TCP/60023
• 08:30 – The NON-vulnerability – Yahoo News: Avaya Bitten Hard by WMF Bug and Avaya security advisory (Can people please read security bulletins before writing articles about them?)
• 10:16 – Intranet Journal: Five Questions to Consider Before Migrating to VoIP
• 10:52 – Contractor UK: VoIP Free? You must be joking (reference to upcoming guest Nick Frost)
• 12:05 – Unstrung: WLANs Enter Integration Age
• 12:48 – IT Observer: Sound Choices for VoIP Security
  – white paper by Jonathan Casteel, which curiously  appears to be a term paper for a university class (but is a good
  summary)
• 13:53 – TMC.Net: TI introduces PIQUA for VoIP QoS  (See also InfoWorld Netherlands and ElectronicsTalk )
• 15:27 – TechWorld: Ipoque launches Skype-killer  (also news release )
• 16:08 – VON Magazine: Security Gizmos at CES (Sonare “Babble” technology and comment that it may be built into phones)
• 17:16 – VON Magazine: WiFi (in)security (talks about Shmoocon)
• 17:42 – IPCommunications.com Meru Offers RF-Level Security (also news release= )
• 18:58 – Call for Papers: CanSecWest – Apr 5-7 in Vancouver, specifically looking for VoIP security info
• 19:27 – Slashdot: NSA Wiretap Whistleblower
• 19:53 – IDC: Latest VoIP Semiconductor Forecast
• 20:30 – ZDNet: Russell Shaw: "Is ENUM the key to true VoIP directory assistance?"
• 22:09 – News releases – Pennsylvania State University chooses Qovia for VoIP Management (ordinarily wouldn’t include this but Steve Mank from Qovia was on last week)
• 22:45 – Emperix, Shenick and CT Labs announcing VoIP security testing of Juniper Netscreen
• 24:00 – Feature interview with Bogdan Materna of VoipShield Systems
  
  • Background on VoIPShield, formation, funding, etc.
  • VoIPAudit description
  • Type of solution, form factor
  • Update mechanism?
  • 29:34 – Typical threats
  • Layers of solution
  • What IP-PBXs does it work with?
  • Who is using VoIPAudit
  • 34:15 – How are you different from IDS’?
  • Competitors? Relationship to VoIP vendors?
  • What’s next?
  • 37:28 – What do you see as main threats to VoIP?
  • 38:57 – End of interview
• 39:02 – Comment section – Comment from Shawn Merdinger about the WiFi vulnerabilities he was releasing
• 39:45 – Comment from Bruce Stewart, editor of O’Reilly’s Emerging Telephony website, which supports the conference, but will continue after the conference is over.
• 40:51 – Comment from Vikram Rangnekar about listening to the show in the traffic jams of Bombay, ideas for the show and his own company
• 44:20 – Book review by Martyn Davies of The 3G IP Multimedia Subsystem (IMS) : Merging the Internet and the Cellular Worlds by Gonzalo Camarillo and Miguel-Angel Garcia-Martin
• 49:35 – Review of the last week’s traffic on the VOIPSEC public mailing list. Major topics this week included discussion around what is the most popular key exchange protocol: MIKEY vs SDP sdescriptions, feasiblity of protecting just part of the SDP packet, estara and Cisco vulnerabilities, SIP being used to send data and more.
• 50:80 – Mention of new search feature by Podzinger available on the right side of the show blog
• 52:07 – Reminder that next week there might be multiple shows coming out of the conferences.
• 52:42 – Wrapup of the show:  upcoming shows, notes about contributing, information about how to provide comments.
• 55:27 – End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Download the show here (MP3, 50MB) or subscribe to the RSS feed to download the show automatically.

Thank you for listening and please do let us know what you think of the show.

Synopsis: VoIP security news, WiFi phone vulnerabilities, comments, news, VOIPSEC review

Welcome to Blue Box: The VoIP Security Podcast show #11, a 39-minute podcast  from Dan York and Jonathan Zar around news and commentary in the world of VoIP security. This show also features an 18-minute interview with Steve Mank, COO of Qovia.

Download the show here (MP3, 39MB) or subscribe to the RSS feed to download the show automatically.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Note: Audio quality was a bit lower than previous shows and there was some echo.  We know – and more importantly we know how to fix it.  Future shows will be bettter.

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners. , especially those Vermonters who joined as a result of 802Online posting. Mention of Frappr map for the show.  Please join the map! Mention that we are open to considering other contributors, either as "correspondents" or potentially as another co-host. Drop us an e-mail if you are interested in being considered!
• 02:46 – Upcoming events – Dan will be attending O’Reilly’s Emerging Telephony Conference in San Francisco January 24-26. If you are also planning to be there, please drop us an e-mail.  If anyone will be attending Internet Telephony happening at the same time in Florida, we would love some reports coming out of the show.  More details on the show blog.
• 03:38 – Comment section – comment from Shawn Merdinger about the AIO from Chandran at Sun
• 04:24 – Comment from Steve Blair that he’ll be attending the Internet Telephony conference
• 04:45 – Question from Craig Bowser about show notes and comment about VON Magazine
• 05:39 – Mention from ‘natas’ that he will be attending Shmoocon in Washington, DC next week (we mentioned this in show #10)
• 07:26 – News section – Network World: What will generate the real heat in ‘06?
• 08:35 – Call For Papers: Third Annual VoIP Security Workshop, Berlin, Germany, June 2006
• 09:16 – ABC News: DECT Phone bridges landline, VoIP
• 10:52 – Aswath Weblog: Optimized for Skype
• 12:36 – SECGURU:  VoIP Security Planning, Threats and Recommendations by Dan Sass
• 13:16 – Mention that there was an article (behind a gated web site) that seemed to imply a new VoIP white paper published by Internet Security Systems, but no mention could be found in other sources
• 13:53 – News release from PMC-Sierra about their new wired and WiFi phone reference platform that includes hardware security chips  (See also this story)
• 14:55 – ‘ResearchAndMarkets’ analyst firm releases VoIP Security report
• 15:48 – VoIP Magazine picks Borderware as one of the top 20 VoIP companies to watch (see also VoIP Magazine full "Top 20" list)
• 17:27 Feature interview with Steve Mank, COO, of Qovia, a company providing VoIP management tools and one of the first ones to use the term "SPIT" for "Spam for Internet Telephony"
  
  • 17:27 – history, overview of products, typical architecture
  • 25:50 – focus on security, DoS, encryption, rogue device detection
  • 29:15 – patents around SPIT prevention, techniques, DoS server solution, modularity
  • 32:00 – call logging/recording?, future directions, IP video
  • 33:00 – IP video equivalent of MOST score, go-to-market strategy, supported platforms, final thoughts
  • 35:39 – end of interview
• 36:01 – Review of the last week’s traffic on the VOIPSEC public mailing list. Major topics this week included continued discussion on Skype usefulness in the enterprise (resulted in Matthew Kaufmann posting about Amicima – a secure p2p VoIP company whose code is apparently open source ), VoIP attack statistics, and a call for papers for the Third Annual VoIP Security Workshop in Berlin June 1 and 2.
• 37:55 – Wrapup of the show:  upcoming shows, notes about contributing, information about how to provide comments.
• 39:35 – End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Download the show here (MP3, 38MB) or subscribe to the RSS feed to download the show automatically.

Thank you for listening and please do let us know what you think of the show.

Synopsis: VoIP security news, WiFi phone vulnerabilities, comments, news, VOIPSEC review

Welcome to Blue Box: The VoIP Security Podcast show #10, a 41-minute podcast  from Dan York and Jonathan Zar around news and commentary in the world of VoIP security.

Download the show here (MP3, 39MB) or subscribe to the RSS feed to download the show automatically.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners. , especially those who joined as a result of Andy Abramson’s mention of the show in VoIPWatch. Mention of Frappr map for the show.  Please join the map!
• 02:17 – Mention that we are open to considering other contributors, either as "correspondents" or potentially as another co-host. Drop us an e-mail if you are interested in being considered!
• 02:33 – Note that comments and trackbacks to the show blog are now unfortunately moderated due to spam
• 03:40 – Upcoming events – Dan will be attending O’Reilly’s Emerging Telephony Conference in San Francisco January 24-26. If you are also planning to be there, please drop us an e-mail.
• 05:22 – If anyone will be attending Internet Telephony happening at the same time in Florida, we would love some reports coming out of the show.
• 06:12 – Comment section – comment from "natas" on the show and being in Vermont
• 06:56 – Comment from Al Samuelson asking about info for small companies without IT staff
• 10:03 – Lengthy comment (and discussion) from Shawn Merdinger on testing of wireless (WiFi) phones
  • Mention that his next round of disclosures will be out January 15th at Shmoocon in Washington, DC
• 20:51 – News section – Call for papers for NOMS2006 extended to Jan 10th
• 21:29 – ABC News / PC Magazine: Skype Security Questioned
• 23:15 – Network World: SPIT Happens
• 25:20 – Red Herring: Top Security Trends for 2006
• 26:13 – Government Technology: GT Spectrum
• 27:32 – VON Magazine now sending out twice-monthly "Focus on Security". Latest issue included:
  • Cloudshield introduces VoIP traffic analysis tool
  • m5t releases study "SIP Stack Evaluation with Integrated Security"
• 29:18 – GNUTelephony.org
• 31:09 – News releases:
  • Managed Service Providers Deploy NetIQ for VoIP Management
  • Ingate Remote SIP Connectivity for Ingate Siparator® 45 Named Product of the Year
• 32:05 – Review of the last week’s traffic on the VOIPSEC public mailing list. Major topics this week included a poll results from Chris Martin discussion of a SIP vulnerabilities, carrier versus peer-to-peer, Skype security. The security discussion included Rodney Thayer who has written for Network World about Skype and has his own security presentation on Skype
• 39:20 – Wrapup of the show:  upcoming shows, notes about contributing, information about how to provide comments.
• 41:28 – End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Download the show here (MP3, 39MB) or subscribe to the RSS feed to download the show automatically.

Thank you for listening and please do let us know what you think of the show.

Synopsis: VoIP security news, year in review, VOIPSEC review

Welcome to Blue Box: The VoIP Security Podcast show #9, a 29-minute podcast (with 4 bonus minutes… read on) from Dan York and Jonathan Zar around news and commentary in the world of VoIP security.

Download the show here (MP3, 32MB) or subscribe to the RSS feed to download the show automatically.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners.  Mention of Frappr map for the show.  Please join the map!
• 02:40 – Mention that we are open to considering other contributors, either as "correspondents" or potentially as another co-host. Drop us an e-mail if you are interested in being considered!
• 05:25 – Comment section – Mark Collier comments on podcast #7
• 07:24 – Mark Gerschefske asks about IETF and show notes  (anyone interested in helping with show notes?)
• 11:00 –  News section – VoIP Magazine IP Security in a Hosted Environment – written by our guest of last week, Mark Collier
• 12:00 – Developing Carrier-Grade Security for Service Providers – written by Bogdan Materna of VoiPShield, who will be our interview guest on the week of January 16th
• 13:05 – Network World: LAN switches to get smarter about VoIP security about Avaya, Extreme and LLDP-MED.  (Also mention of Mitel news release)
• 15:21 – New Mexico Business Weekly: Oh, SPIT! Security woes hit voice over Internet too
• 16:24 – CSO: INTEROP: Security Experts Urge a ‘Say Yes’ Mindset
• 17:16 – ComputerWorld Singapore: VoIP beyond the enterprise LAN
• 17:53 – O’Reilly.com: Andy Oram provides a recap of Fall 2005 VON in an article entitled VoIP is All Business At VON
• 18:20 – Lockergnome: Need VoIP Security: Get a Tunnel of Tom Cross’ Techtionary.com website.
• 19:01 – Discussion of what lies ahead in 2006 for VoIP security.  Also included mention of two Skype-related postings:
  • Tom Keating: Block Skype – discussion of blocking Skype including directions of how to configure SonicWALL firewalls to do so
  • Rich Tehrani: Skype fear – speaks to the fact that Skype is a development platform and could allow apps using the Skype APIs to ride the Skype connections into your network
• 25:16 – Review of the last week’s traffic on the VOIPSEC public mailing list. Major topics this week included a continued discussion of a list of VoIP vulnerabilities, assessing Skype’s network impact, questions from graduate students.
• 26:38 – Wrapup of the show:  upcoming shows, notes about contributing, information about how to provide comments.
• 28:38 – End of show

Also, as a holiday bonus – and because podcasts all over the Internet are participating in this effort, after the regular show outro around 29 minutes, the show includes the UNICEF-benefit song "If Every Day Were Christmas" created by Podsafe for Peace, a collaboration of 32 artists in 9 countries very much along the lines of the "We Are The World" effort back in 1985 – only this time the artists did not physically meet and it was all put together digitally.  If you have not heard it yet, it is well worth a listen.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

NO PODCAST NEXT WEEK!  We are taking a break for the holidays but will be back with a new show on the week of January 2nd.  Have a great holiday season… and we will catch up with you in the new year…

Thank you for listening and please do let us know what you think of the show.

Synopsis: VoIP security news, interview with Mark Collier, CTO of SecureLogix

Welcome to Blue Box: The VoIP Security Podcast show #8, a 47-minute podcast (with 6 bonus minutes… read on) from Dan York around news and commentary in the world of VoIP security.

Download the show here (MP3, 48MB) or subscribe to the RSS feed to download the show automatically.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Though we tried very hard to connect (including planning to do the show with Jonathan calling in from an airport), Jonathan was travelling again this week and so Dan was solo again. This show does feature a 19-minute interview with Mark Collier, CTO of SecureLogix.

Show Content:

Detailed show notes will be available soon.  Due to the fact that I (Dan) am travelling tomorrow, I’m loading the show up here for listeners.  Show notes should appear late Wednesday night.

I will note that at approximately 22:10 I begin a very interesting 19-minute interview with Mark Collier, CTO of SecureLogix.  With 20 years experience in the field, Mark brings a wealth of expertise to the conversation, which ranged over topics such as the current state of VoIP security, standards, Skype, new projects, and Mark’s dire prediction for 2006.  Well worth a listen.

Also, as a holiday bonus – and because podcasts all over the Internet are participating in this effort, after the regular show outro around 47 minutes, the show includes the UNICEF-benefit song "If Every Day Were Christmas" created by Podsafe for Peace, a collaboration of 32 artists in 9 countries very much along the lines of the "We Are The World" effort back in 1985 – only this time the artists did not physically meet and it was all put together digitally.  If you have not heard it yet, it is well worth a listen.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Synopsis: VoIP security news, comments and opinions

Welcome to Blue Box: The VoIP Security Podcast show #7, a 28-minute podcast from Dan York around news and commentary in the world of VoIP security.

Download the show here (MP3, 26MB) or subscribe to the RSS feed to download the show automatically.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Jonathan was travelling this week and unable to participate.  We mentioned previously that Bogdan Materna from VoIPShield Systems would be interviewed this week but unfortunately he fell ill and was unable to join us.  We’ll reschedule that interview in the weeks ahead.  Our thanks go out to Tom Cross of Techtionary.com, who provided some content for today’s show.

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners.
• 02:22 – Mention of upcoming interviews:  SecureLogic, VoIP Shield, potentially Qovia
• 03:55 – Comments section – first comment in from Scott Berkman offering a new logo (see the image to the right).  Many thanks, Scott!  Comments are welcome.
• 05:59 – Chuck Tanowitz from Schwarz Communications pitching an interview with Qovia
• 06:58 – Paul Sorge at HP Procurve finds the podcasts useful and likes the intro with phones
• 07:21 – Mike Strock mentions the show in his blog and finds the phone intro extremely annoying
• 08:16 – Rick Robinson at Avaya comments on the real versus perceived threats to VoIP
• 09:33 – The PR firm for NetClarity contacted us about NetClarity’s patent filing
• 10:29 – Craig Bowser sent in a link to a SecurityPipeline article on 3Com’s new switch with VoIP capabilities – see also the 3Com’s news release
• 12:20 – Wrapup of comments and information about sending in comments
• 13:08 – News section – Der Spiegel article on attack against cell phone voicemail and the linkage to VoIP (in German – a very brief English summary is available)
• 15:55 – ComputerWorld Australia: Fluke to acquire Visual Networks – see also the Fluke news release
• 16:45 – Bank Technology News: Voip Security Threats: Swimming With The Sleeping Sharks?
• 17:52 – ZDNet: Attention Skype-haters: SkypeKiller lets you wipe Skype from your network for good
• 18:04 – Business Week: Getting skittish about Skype (a sidebar to a larger article)
• 19:39 – LightReading: Verso responds to Skype
• 20:15 – ZDNet: Mass mailer worm maquerades as Skype update
• 21:24 – Network World: VoIP scheme gets big backers which includes an audio interview with Cullen Jennings of Cisco about ICE and a mini-tutorial on the topic
• 21:59 – Mini-feature: Tom Cross (of Techtionary.com) asks if companies are developing policies around the monitoring of VoIP calls
• 24:01 – Review of the last week’s traffic on the VOIPSEC public mailing list. Major topics this week included a request for contacts for people interested in VoIP fraud (i.e. billing abuse) and a discussion of whether RTP could be a transport for viruses.
• – Request for feedback – Do you find this VOIPSEC review section of the show useful? Please send comments to blueboxpodcast@gmail.com.
• 25:55 – Final comments – looking for suggestions for the lists of VoIP podcasts and VoIP security books currently on the side of the podcast weblog
• 26:32 – Wrapup of the show and information about how to provide comments.
• 28:04 – End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Synopsis: VoIP security news, interview with Mark Spencer of Asterisk/Digium, review of VOIPSEC mailing list.

Welcome to Blue Box: The VoIP Security Podcast show #6, a 42-minute conversation between Dan York and Jonathan Zar around news and commentary in the world of VoIP security.  This show also features a 24-minute interview with Mark Spencer, the original author of Asterisk and President of Digium.

Download the show here (MP3, 40MB) or subscribe to the RSS feed to download the show automatically.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

This show also features a new musical intro and outro provided to us by listener Martyn Davies from the UK.  Those of you who hated the previous intro of ringing phones can join us in thanking Martyn for his work.  Please do let us know what you think of it!

Show Content:

• 00:23 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners.
• 01:29 – Comments section – first comment in from John Todd asking what are the primary reasons more commercial and open source VoIP systems do not currently support encryption (i.e. TLS, SRTP, etc.)
• 04:52 – Comment from Reginal Cross asking about the security of consumer VoIP systems such as Packet8.
• 08:32 – Martyn’s comment and his new intro.
• 09:33 – Comment from Tom Cross that his latest Techntionary Tips contains a number of VoIP security-related items
• 10:50 – News section begins with WiFi Planet: VoIP integrated circuits – security is a concern
• 11:46 – TMC.net: Making Sense of VoIP Security Threats (by our upcoming guest, Bogdan Materna from VoIPShield)
• 12:30 – Australian government report on VoIP
• 13:08 – SearchSecurity.com: Don’t believe the VoIP security hype
• 14:22 – Start of interview with Mark Spencer, the original author of the open source PBX Asterisk and President of Digium.  Discussion on what’s new, IAX encryption, SRTP bounty.
  • 17:15 – Background on the creation of Asterisk
  • 20:15 – Comparison to commercial PBXs and discussion of bicycle-powered PBXs in Africa
  • 23:05 – How do you deploy Asterisk securely?
  • 23:53 – What is the IAX protocol? How is it different?
  • 27:17 – Patents and intellectual property
  • 28:18 – What’s next for Asterisk and discussion of open source aspects
  • 31:41 – Economics of Digium – could Digium exist without Asterisk?
  • 33:54 – Competition with other PBXs?
  • 35:03 – The new Asterisk 1.2 release and roadmap
  • 37:23 – Interview wrap-up… how developers can help and final thoughts
• 38:29 – Review of the last week’s traffic on the VOIPSEC public mailing list. Major topics this week included continued discussion of the insecurity of WiFi networks, mention of the Australian government report, a discussion of whether DKIM could be used for securing SIP.
• 39:19 – Request for feedback – Do you find this VOIPSEC review section of the show useful? Please send comments to blueboxpodcast@gmail.com.
• 40:04 – Miscellany – looking for suggestions for the lists of VoIP podcasts and VoIP security books currently on the side of the podcast weblog
• 40:37 – Wrapup of the show and information about how to provide comments.
• 41:41 – End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Thank you for listening and please do let us know what you think of the show.