Finally getting caught up on content recorded for Blue Box, I finished up on Monday night the interview I did with Ken Camp out at Internet Telephony in San Diego and posted the interview today. Ken responded with his post: "I've been Blueboxed", which gave me a laugh because I don't think I've ever seen the show name used as a verb before!

Tags: blue box, bluebox, security, voip, voip security, voipsa, voipsecurity

Martyn Davies (martyndavies) provides a photo of yours truly over on his blog (click the photo to see the larger version) from the Blue Box dinner that we had last Thursday.  It was a great time... Martyn, myself, Dean Elwood, Andy Millar and, for a brief time, a gent whose name I only know as "Sarb".  Lots of great conversation, food, beer... much fun and we'll definitely have to do it again in another city.  Many thanks to Martyn for doing the local organization.  I took a range of photos as well that I'll post at some point.

Tags: blue box, bluebox

Fantastic "Blue Box Dinner" last night with Martyn Davies, Dean Elwood, Andy Millar and a brief appearance by "Sarb". Drinks at one pub... very nice dinner... and drinks again at another... and in the latter Martyn whipped out his Zoom H4 for some impromptu recording to be heard on the next Blue Box podcast. Great conversation... all around a great evening... we'll have to do it again another time!

Tags: blue box, bluebox

If you happen to be in London, England, next Thursday, December 7th, and you would like to have dinner with a bunch of VoIP security geeks^H^H^H^H^Hprofessionals, we're setting up a Blue Box dinner. I'll admit that I'll be relying on martyndavies for some of the local coordination as I don't know much myself about dining in London... and we're still working out details, some of which will depend upon how many people turn out to be interested. So if you are interested, please follow the instructions in the Blue Box post and send in an email.

I'm very much looking forward to seeing Martyn again, and also in meeting Dean from VoIPuser and some of the others who have already expressed interest.

Tags: blue box, bluebox, london, security, voip, voip security, voipsecurity

Blue Box Podcast #44 is now available for download. In this show, we cover the new SIP attacktools released by Mark Collier and Dave Endler, talk about the IETFmeeting, ZRTP and Phil Zimmermann’s patent disclosure, Skype securityissues, a war dialling script for Asterisk, listener comments and muchmore. Feedback is, as always, welcome.

Tags: asterisk, blue box, bluebox, ietf, philzimmermann, sip, sip security, skype, skype security, voip, voip security, voipsecurity, zrtp

Late last night I uploaded Blue Box Podcast #4142. This show is a bit of a departure... in large part because I don't think Jonathan and I have probably laughed as much as we did in this show... largely due to the fact that we recorded it late one night last week after I had been driving 5 hours up to Ottawa and was very wired on caffeine... but also because it's the first time I have really ranted about a class of companies (It was really my rant - Jonathan was a calmer voice). In this case, it is the VoIP Service Providers who sat up on a Service Provider Shootout panel at the Internet Telephony conference earlier this month and, in response to my public question from the audience:

"All of this is going across broadband connections across theInternet. What are you folks doing to secure the connections to thesets that are in people's homes?"

answered that outside of authentication (which they of course need for billing), they are doing... nothing.

Odds are they actually are doing something to protect availability against DoS attacks (one would hope... but then again, one could be wrong), but it was very clear that they are NOT doing anything to ensure confidentiality. So anything you say over a line connected to one of those providers is in the clear and could be intercepted by someone who managed to get in the path of the RTP stream. Great! They all said they realized that they needed to address it and privately later some indicated it was on the proverbial roadmap.

I've written a draft article for the "Voice of VOIPSA" blog which, after I get a chance to re-read it, I'll actually post to articulate the problems I have this position. But essentially it comes down to this... without protection of confidentiality and with the continued deployment of more and more endpoints, it is only a matter of time before there is an exploit somewhere... some attacker records a juicy phone call over a VoIP service provider... and then it gets splattered all over the news outlets. Outside of the very real harm to the specific individuals involved, my other big concern is that the media will of course tar all VoIP with the same brush... and so we in the VoIP enterprise space who do have secure solutions will wind up with yet more barriers in the way of deployment as we have to overcome perceptions and objections set by the mass media. It's not a situation I want. Nor, I think, do most people.

Anyway, under the VOIPSA flag I am raising the profile of this issue so that hopefully it will be accelerated on service providers' roadmaps so that the issue can be fixed before it comes back publicly to bite us all in the collective tail. You can listen to the podcast for more info. (Or wait for me to push "Publish" over at the VOIPSA blog.)

Tags: blue box, bluebox, security, skype, voip, voip security

One of the things I first noticed in RadioTail Ripple was the list of referrers[1], and found that one that was bringing in a number of links was Hackermedia. Given that we try to stay on the "white hat" side of the ethical divide... and that you are often "known by the company you keep", I was a bit concerned when the first podcasts mentioned at the top of the page were "Binary Revolution" and "Sploitcast"... both of which I actually listen to, but both of which.... well... er... let's just say that their hats are not always white... or even grey.[2]

However, in looking over the page, the folks at Hackermedia have actually done a nice job of assembling various podcasts relating to security from all sides of the ethical spectrum. They also interestingly include some of the technology podcasts from NPR and PRI, as well as SecurityNow! from Steve Gibson and others of interest.

What is also interesting is the construction of the Hackermedia.org website. If you look at what they have done, it's quite neat, really. On either side they have a column with boxes for various different shows displaying the RSS feeds for those shows. Then in the middle they have a "Featured Show" box at the top and then a box showing what has been updated in the various feeds that are being aggregated into the site. This "Latest Additions" box is nice in that it is an aggregation of the various feeds, showing you what's new.

Certainly there are lots of other sites doing aggregation like this, but this is just one that I thought was interesting.

Note, too, that their use of our feed in this way is perfectly legal, given that we license the Blue Box feed under the Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License.

[1] In fairness to LibSyn, they have always had the ability to list referrers simply by clicking the black tab on the side - I just haven't looked for a while. I was exploring RadioTail Ripple, so I was clicking every tab and button.

[2] And if you don't understand the hat analogy... read here about white, black and grey. We security people do admittedly speak in funny ways sometimes.

Tags: blue box, bluebox, hackermedia, podcasts, security, security podcasts

Tonight it is pretty clear what I'll be doing... it's a long night of podcast production ahead. I have two "main" Blue Box shows to get out... the really wacky one from last week where I had way too much caffeine and had just been driving for 4.5 hours... and then the much more serious one that Jonathan and I recorded for release tomorrow.

Tomorrow, of course, marks the one-year anniversary from the first Blue Box Podcast #1 that I released on October 24, 2005. I just listened to that (short) podcast again, and had the following thoughts:

• I forgot how annoying that original intro was with all the phones ringing. Martyn Davies' music is much nicer, IMHO.
• Gee, I was talking about Skype security.... any surprise that one year later this is still a major topic in the show?
• I did use a phone ring to separate sections of the podcast. That's something I stopped doing at some point in favor of not breaking up the conversation and just letting it flow.
• VOIPSA was announcing the Threat Taxonomy and new website.
• Like we do today, we are still pointing to other podcasts out there.
• The format was more or less the same as what we use today.

In any event, tomorrow is that anniversary... so tonight, I want to finish up the show so that I can release it tomorrow. Fun, fun, fun.... (and actually, it is fun!)

Tags: blue box, bluebox, podcasting, voip security

We have been a wee bit busy over at Blue Box in recent weeks, but the results are now appearing. I've uploaded three shows in recent days:

• Blue Box Podcast #38 is perhaps the only place you can hear about fugitive CEOs, Phil Zimmermann, Paris Hilton, Skype security, Asterisk, SIP and the IETF all in one place!
  
  
• Blue Box Special Edition #10 provides a great interview with Gary Miliefsky of Netclarity where we explore his views on the future of VoIP security, NIST and CVEs related to VoIP, his company's tools and much more
  
  
• Blue Box Special Edition #11 dives into IMS security through an interview with Morgan Stern from Lucent who had just been on a panel at Fall VON 2006 on securing IMS. We cover his views on the challenges ahead for IMS, the various standards bodies involved, how to address lawful intercept and much more. Morgan also provided a copy of his presentation and links to a webinar on IMS that he recently gave.
  
  

All that and more is available... please do give a listen and let us know what you think.

Tags: blue box, bluebox, security, voip, voip security, voipsecurity

Despite the technical difficulties, Blue Box Podcast #36 is now actually available for download. In this super-sized show, we discuss the voice security talks given at Black Hat 2006 last week in Las Vegas. There is an interview with David Endler and Mark Collier about the VoIP security tools they released, an interview with Ofir Arkin about his talk on NAC and involvment with VOIPSA, and many other news items coming out of the conference. I think you will find that, despite the glitches and noise artifacts, it's a good show!

Tags: blue box, bluebox, security, voip, voip security, voipsecurity

Frustrated in Las Vegas.... Jonathan and I recorded one of our best podcast episodes today... face-to-face in Las Vegas... injecting some interviews (both planned and unplanned)... some shoutouts... all a good show - all focused on Black Hat. Recorded on my lapel mics plugged into my Marantz PMD-660 and then uploaded via USB to my laptop.

And then came "post", as in "post-production"... and the discovery that yes, indeed, something must seriously be wrong with the disk drive on my laptop. The WAV files wound up having holes in them. It seems like a disk block was just... missing! Whether in Audacity or iTunes, when the player got to that part of the file, it just hung off in space for a few minutes. And annoyingly it happened several times in the main show file. Now, I might blame the Marantz... but I've been having other problems with this laptop's disk that lead me to think it is the culprit.

Unfortunately, because I'm recording in high-quality WAV format, after I've uploaded the files to my laptop and then done a quick check that it played, I've removed the files from the PMD-660 so that I can make other recordings - so the orginal recordings are now completely gone! VERY frustrating!

I'll be able to see if it is the Marantz vs the hard drive with the Phil Zimmermann interview that I still have on the system. I'll copy it over to the laptop and do the post-production to see if there are gaps. Meanwhile, I'll leave it on the Marantz so that I can always re-upload it. We'll see soon.

Meanwhile, I'm thinking that on my next trip to Ottawa, this laptop may need to go in for a full lobotomy...

Tags: blue box, bluebox
Current Mood: frustrated

Just finished a wacky recording session with Jonathan face-to-face here at Black Hat. We were in a side press room that was thankfully quiet, but with the interruptions of the door, other people around... random guests coming in... etc. It was a lot of fun to do it f2f... and we have a bunch of inserts into the show. It's going to be a long "Black Hat edition"... I'm going to go grab lunch quickly and then get into post-production to see if I can get it up online today.

Tags: blue box, bluebox, podcasting

"Do you want to Biggie-size that?"[1]

Did the editing on our super-sized Blue Box episode last night.  Tonight I get to do the final post-production and write up the show notes.  Our listeners have told us that: a) they like interviews in the middle; and b) length doesn't matter because you can listen in segments.  Well, even knowing that, we are definitely going to push the limits... I mean, this one clocks in at 1 hour and 49 minutes!  I  don't even want to think how long the MP3 export will take.  Probably 30 minutes or more.  It will be a while, that's for certain.

The show is a good one... lots of news and then about a 38-minute interview with David Schwartz, the CTO of Kayote Networks, followed a while later with a 18-minute interview with Rodolfo Rosini, the CEO of Cellfire Security, plus our usual listener comments, VOIPSEC review, etc.  Why so much in one show?  Well, we had the interviews and given that I'll be away for a week we figured we'd give people a big version this week.  We could have broken it up into two shows and had another one come out next week... but we decided just to stuff it all in one show.  Fun, fun, fun...


[1] As an aside, do you think the people who say that ever pause to consider how absolutely ridiculous it sounds?  I mean, "Biggie-size"? Huh?

Tags: blue box, bluebox, voip, voip security, voipsecurity

It is hard to believe that "Blue Box: The VoIP Security Podcast" is six-months-old today.  Podcast #1 launched on October 24, 2005.  I've not dared to go back and listen to that MP3 file, actually.  I've learned so much - and our show has progressed so far - since those first early days.  I'm not sure I could stand the "phone rings" intro again, either.  It was a bit much.  Here's some stats about the last six months:

• 31 podcasts (with two more done that I'm hoping to get out tonight)
• 21,000+ downloads of all the shows
• averaging around 800-1000 downloads of each weekly show
• 450+ subscribers to the RSS feed

I could go on... but I actually need to spend the time tonight working on getting out our latest episode... all I can say is that it has been a whole lot of fun (and work!) and has introduced me to some wonderful people.  It's an honor to me that people keep on listening and I look forward to continuing to produce these shows. Now, off to work...

Tags: blue box, bluebox, voip, voip security, voipsecurity

I posted Blue Box podcast #23 late Sunday night as I was getting ready to leave for DC. Jonathan and I cover the news and also the wide range of comments we got this week.

No interview this week... we have one already done, but we had a number of connection problems with the guest and so the post-production has taken a bit of time... and the worst thing is that I had it basically all edited Sunday evening when dear old Audacity died for the first time in ages... and it turned out that I hadn't saved during my editing session! Ugh.... so, running out of time, I made some quick edits to remove our mention of the interview and posted the show without it. I'll redo the editing (saving as I go) later this week and include it in our next show.

We also introduced a book promotion with this show. To encourage people to submit audio comments, we have arranged with O'Reilly & Associates to give away one copy of their new book (from Syngress), "Practical VoIP Security". We are going to randomly draw one of the names from anyone who sends in an audio comment in April.

Why are we doing it? Well, partly it is just something fun. And partly I have found that people who start sending in audio comments are more likely to continue to send in audio comments. So this is mainly a part of an effort to encourage people to start, with the hope that some of those who do will continue to do so on an ongoing basis whenever they feel moved to do so.

BTW, in reference to my earlier post, our Frappr map has now blown by 100 users and is, at the time I write this, now at 113! Very cool to see.

Tags: blue box, bluebox, voip security, voipsecurity