Blue Box: The VoIP Security Podcast

Synopsis: VoIP security news, interview with Mark Spencer of Asterisk/Digium, review of VOIPSEC mailing list.

Welcome to Blue Box: The VoIP Security Podcast show #6, a 42-minute conversation between Dan York and Jonathan Zar around news and commentary in the world of VoIP security.  This show also features a 24-minute interview with Mark Spencer, the original author of Asterisk and President of Digium.

Download the show here (MP3, 40MB) or subscribe to the RSS feed to download the show automatically.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

This show also features a new musical intro and outro provided to us by listener Martyn Davies from the UK.  Those of you who hated the previous intro of ringing phones can join us in thanking Martyn for his work.  Please do let us know what you think of it!

Show Content:

• 00:23 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners.
• 01:29 - Comments section - first comment in from John Todd asking what are the primary reasons more commercial and open source VoIP systems do not currently support encryption (i.e. TLS, SRTP, etc.)
• 04:52 - Comment from Reginal Cross asking about the security of consumer VoIP systems such as Packet8.
• 08:32 - Martyn's comment and his new intro.
• 09:33 - Comment from Tom Cross that his latest Techntionary Tips contains a number of VoIP security-related items
• 10:50 - News section begins with WiFi Planet: VoIP integrated circuits - security is a concern
• 11:46 - TMC.net: Making Sense of VoIP Security Threats (by our upcoming guest, Bogdan Materna from VoIPShield)
• 12:30 - Australian government report on VoIP
• 13:08 - SearchSecurity.com: Don't believe the VoIP security hype
• 14:22 - Start of interview with Mark Spencer, the original author of the open source PBX Asterisk and President of Digium.  Discussion on what's new, IAX encryption, SRTP bounty.
  • 17:15 - Background on the creation of Asterisk
  • 20:15 - Comparison to commercial PBXs and discussion of bicycle-powered PBXs in Africa
  • 23:05 - How do you deploy Asterisk securely?
  • 23:53 - What is the IAX protocol? How is it different?
  • 27:17 - Patents and intellectual property
  • 28:18 - What's next for Asterisk and discussion of open source aspects
  • 31:41 - Economics of Digium - could Digium exist without Asterisk?
  • 33:54 - Competition with other PBXs?
  • 35:03 - The new Asterisk 1.2 release and roadmap
  • 37:23 - Interview wrap-up... how developers can help and final thoughts
• 38:29 - Review of the last week's traffic on the VOIPSEC public mailing list. Major topics this week included continued discussion of the insecurity of WiFi networks, mention of the Australian government report, a discussion of whether DKIM could be used for securing SIP.
• 39:19 - Request for feedback - Do you find this VOIPSEC review section of the show useful? Please send comments to [email protected].
• 40:04 - Miscellany - looking for suggestions for the lists of VoIP podcasts and VoIP security books currently on the side of the podcast weblog
• 40:37 - Wrapup of the show and information about how to provide comments.
• 41:41 - End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Synopsis: VoIP security news, comments, FCC wiretapping and CALEA, Skype blocking, IPv6 and NAT, review of VOIPSEC mailing list.

Welcome to Blue Box: The VoIP Security Podcast show #5, an 32-minute conversation between Dan York and Jonathan Zar around news and commentary in the world of VoIP security.

Download the show here (MP3, 30MB) or subscribe to the RSS feed to download the show automatically.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Show Content:

• 00:17 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners who arrived after the posting to the VOIPSEC mailing list and also to VoIP weblogs such as VoIP Watch.
• 02:10 - Request to the musically-talented for a better intro.
• 02:24 - Upcoming interviews over the next few weeks
  • Mark Spencer of Asterisk fame
  • VoIPShield
  • SecureLogix
• 03:28 - Martyn Davies gave us a nice logo for our consideration (see it with this podcast file)
• 04:31 - Comments section - first comment in from Martyn Davies
• 05:23 - Comment from Dean Elwood at voipuser.org
• 06:19 - Mention that we were pitched by a PR agency and will, in fact, be interviewing their client
• 06:36 - Wrapup of comments and mention of how people can comment
• 07:27 - News section begins with "VoIP Security is going to be a nightmare" by Winn Schwartau at NetworkWorld
• 09:25 - "A constant state of insecurity" by Roger Grimes at InfoWorld
• 12:45 - Discussion about FCC wiretap order for VoIP providers, CALEA and a CNET article on the subject
• 17:56 - Skype blocking in China
• 20:34 - Business warned about using Skype
• 21:12 - Cisco security advisory about their wireless phone
• 22:10 - wrap-up of comments and mention of report saying that "43% of IT Directors Still Think VOIP is Inherently Insecure"
• 23:45 - Review of the last week's traffic on the VOIPSEC public mailing list. Major topics this week included a very lengthy discussion on IPv6 and NAT traversal, blocking Skype, the insecurity of clear-text passwords and many more topics.
• 25:05 - Dive into a tangent on IPv6 and NAT and how they all work.
• 31:03 - Mention that German government VoIP report is not yet available on their English page but other interesting reports are such as one on the security of the GSM cellular network
• 31:41 - Wrapup of the show and information about how to provide comments.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Synopsis: VoIP security news, comments, interview with Tom Cross about VoIP security panels at IT Telephony and also upcoming VoIP security conference in June 2006, review of VOIPSEC mailing list.

Welcome to Blue Box: The VoIP Security Podcast show #4, an 32-minute conversation between Dan York and Jonathan Zar around news and commentary in the world of VoIP security.

Download the show here (MP3, 30MB) or subscribe to the RSS feed to download the show automatically.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Show Content:

• 00:18 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners who arrived after the posting to the VOIPSEC mailing list.
• 01:57 - Comment from Craig Bowser asking if an English translation of the German report was yet available and asking also about the NIST report
• 04:17 - Comment from Alon Cohen (co-founder and former CTO of VocalTec) asking about whether the VOIPSA Threat Taxonomy should only cover the threats that don't overlap with data
• 08:18 - Comment from Simon Ewing that he enjoys the show but the show intro is making his blood boil
  - Request to listeners: if anyone has a better idea for an audio intro, we'd love to hear it.
• 11:37 - Start of interview with Tom Cross, founder and producer of Techtionary.com, the world's largest animated library on technology, and also a columnist for TMC Net, Telecommunications and more.
• 13:38 - Discussion of the two panels on VoIP security that Tom moderated out at Internet Telephony and the themes he did or did not see emerge (and discussion about elephants in the dark)
• 18:08 - Tom talks about the International Security Symposium on VoIP Security that he is organizing for June 1-2, 2006 in Boulder, CO.  Discussion on the call for papers and encouraging people to submit proposals.
• 24:38 - Tom discusses the services he and his company provide
• 26:45 - Wrap-up of the interview and note that if others are interested in being interviewed please contact us.
• 27:17 - Very quick summary of some of the news items this week:
  • Skype security analysis
  • European IT directors doubt VoIP security
  • Microsoft and Cisco release about ICE: Microsoft press release, Information Week article, PC World article, Tom Keating's TMC.net VoIP blog
• 28:34 - Review of the last week's traffic on the VOIPSEC public mailing list. Major topics this week included nat traversal, continued discussion of SIP B2BUA and Digest Authentication, like to Skype security analysis and a number of comments around the Microsoft and Cisco announcement.
• 29:30 - Another request for an iTunes logo
• 30:17 - Note about "VoIP Podroll" on show blog and request that if you know of another VoIP podcast that should be included to please send that in.
• 30:47 - Wrapup of the show and information about how to provide comments.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Welcome to Blue Box: The VoIP Security Podcast show #3, an 26-minute conversation between Dan York and Jonathan Zar around news and commentary in the world of VoIP security.

Download the show here (MP3, 25MB) or subscribe to the RSS feed to download the show automatically.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Show Content:

• 00:18 - Intro to the show, contact information and how to provide comments.  Note that we are now listed in iTunes, Yahoo Podcasts and PodcastAlley - welcome to all who are tuning in for the first time.
• 01:27 - We need a logo for display in iTunes - anyone interested in designing one for us?
• 01:55 - Transparency - how visible do we need to make our employers so that people understand our backgrounds? (Given that neither of our employers have any direct connection to this show.)
• 03:00 - Comments section
• 03:10 - E-mail comment from Mike Soulier
• 04:06 - Audio comment from Lee Hopkins (fellow correspondent with Dan into the For Immediate Release podcast)
• 05:28 - Entering the News section with mention of the CSO Online podcast covering VoIP security and including David Endler, chair of VoIPSA
• 06:17 - NewsFactor: Is VoIP Ripe for Attack?
• 08:40 - Globe and Mail: The dangers of VoIP
• 09:59 - ZDNet: Poll: SMB's don't trust VoIP Security
• 11:54 - IndyStar.com: VoIP can put a big crimp in home security (VoIP and home alarm systems)
• 14:18 - The rest of the news stories this week seemed to be about the VoIP Security Threat Taxonomy, including several that quoted Jonathan, who chaired the VOIPSA committee creating the taxonomy.  Jonathan spoke about the response to the taxonomy for a bit and encouraged people to check it out and provide even more feedback.
• 15:33 - Discussion about wikis, wiki-spam and Wikipedia
• 17:57 - Should we do interviews, either as part of the show or separate?  Conclusion is yes and request made for feedback, suggestions, etc.  (Please send us suggestions and ideas.)
• 21:15 - Review of the last week's traffic on the VOIPSEC public mailing list, which Jonathan mentioned does now have over 3,500 subscribers.  Major topics this week included SIP B2BUA and Digest Authentication using RADIUS, SDP format for SRTP in SIP,  a post about the skype vulnerabilities,  a mention of someone finding a new way for SIP NAT traversal,  Per Cederqvist (of CVS fame, now at Ingate) looking for people to test interop of SRTP using sdescriptions and several other points.
• 24:11 - Dan asks for feedback - is this VOIPSEC review helpful?
• 24:57 - Another request for an iTunes logo
• 25:22 - Wrapup of the show and information about how to provide comments.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Welcome to Blue Box: The VoIP Security Podcast show #2, an 24-minute conversation between Dan York and Jonathan Zar around news and commentary in the world of VoIP security.

With this show, Jonathan Zar joins as a co-host.  Jonathan also was just back from the Internet Telephony show in Los Angeles and so much of the discussion included feedback coming out from the show.

Download the show here (MP3, 22MB) or subscribe to the RSS feed to download the show automatically.

Show Content:

• 00:19 - Intro to the show, contact information and how to provide comments
• 01:09 - Dan covers the comment section... mainly that there are no comments yet because the show hasn't been publicized.  Stated again the contact info and welcomed comments. (Including on whether or not we should keep the intro sound effects.)
• 01:43 - Discussion of last week's Skype security alerts:  SKYPE-SB/2005-002 and SKYPE-SB/2005-003. Including the quick response as well as some of the media coverage.
• 05:23 - The German Federal Agency for Information Security released a report on VoIP security. (For non-German speakers, there is a ComputerWorld article in English that explains a bit more.)
• 07:28 - Dan mentions that most of the other news items he saw were about the VoIPSA Threat Taxonomy that Jonathan (who chaired the VOIPSA committee creating the taxonomy) was out at Internet Telephony to unveil
• 08:20 - Jonathan discusses reaction to the VoIP Security Threat Taxonomy and then goes into details about why the taxonomy was created, lessons learned out of it (some relating to VoIP spam, aka SPIT), statistics and how people can help (Hint: there's a wiki where participation is welcome.)
• 17:50 - Dan asks Jonathan whether there were any VoIP security products out at Internet Telephony that impressed him. (The answer is..... )
• 02:30 - Review of the last week's traffic on the VOIPSEC public mailing list, which was actually quite quiet with only a few posts about the Skype security evaluation (mentioned in show #1) and an invitation to submit papers to a conference.  Dan mentioned that David Endler, the chair of VOIPSA, had just sent out a note that he was removing moderation from the list, so we will see how the traffic goes over the next week.
  
• 22:53 - Wrapup of the show and information about how to provide comments.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to [email protected].  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Thank you for listening and please do let us know what you think of the show.