Finally getting caught up on content recorded for Blue Box, I finished up on Monday night the interview I did with Ken Camp out at Internet Telephony in San Diego and posted the interview today. Ken responded with his post: "I've been Blueboxed", which gave me a laugh because I don't think I've ever seen the show name used as a verb before!

Tags: blue box, bluebox, security, voip, voip security, voipsa, voipsecurity

Martyn Davies (martyndavies) provides a photo of yours truly over on his blog (click the photo to see the larger version) from the Blue Box dinner that we had last Thursday.  It was a great time... Martyn, myself, Dean Elwood, Andy Millar and, for a brief time, a gent whose name I only know as "Sarb".  Lots of great conversation, food, beer... much fun and we'll definitely have to do it again in another city.  Many thanks to Martyn for doing the local organization.  I took a range of photos as well that I'll post at some point.

Tags: blue box, bluebox

Fantastic "Blue Box Dinner" last night with Martyn Davies, Dean Elwood, Andy Millar and a brief appearance by "Sarb". Drinks at one pub... very nice dinner... and drinks again at another... and in the latter Martyn whipped out his Zoom H4 for some impromptu recording to be heard on the next Blue Box podcast. Great conversation... all around a great evening... we'll have to do it again another time!

Tags: blue box, bluebox

If you happen to be in London, England, next Thursday, December 7th, and you would like to have dinner with a bunch of VoIP security geeks^H^H^H^H^Hprofessionals, we're setting up a Blue Box dinner. I'll admit that I'll be relying on martyndavies for some of the local coordination as I don't know much myself about dining in London... and we're still working out details, some of which will depend upon how many people turn out to be interested. So if you are interested, please follow the instructions in the Blue Box post and send in an email.

I'm very much looking forward to seeing Martyn again, and also in meeting Dean from VoIPuser and some of the others who have already expressed interest.

Tags: blue box, bluebox, london, security, voip, voip security, voipsecurity

Blue Box Podcast #44 is now available for download. In this show, we cover the new SIP attacktools released by Mark Collier and Dave Endler, talk about the IETFmeeting, ZRTP and Phil Zimmermann’s patent disclosure, Skype securityissues, a war dialling script for Asterisk, listener comments and muchmore. Feedback is, as always, welcome.

Tags: asterisk, blue box, bluebox, ietf, philzimmermann, sip, sip security, skype, skype security, voip, voip security, voipsecurity, zrtp

Martyn Davies took this picture of me in my home office (click on the image for a larger view) as we got ready to record a couple of segments during his visit to Burlington this past weekend. I just liked the way this one came out. And yes, I really do have a 3.5 X 5-foot map of the world behind my desk... I'm a map and globe aficionado. Of course you can see Audacity running on the PC screen. My mixer, compressor and external USB sound card are all visible in the lower right... although the second microphone that I set up for Martyn blocks some of that. Nice shot of the Mitel phones, too. :-) Martyn's other shot was good, too, but of course my hand is in motion. And no, I didn't plan to match the bush... (but man, do I need a haircut!)

Thanks, Martyn, both for the pictures and the visit! It's this kind of sense of community that is really what "social media" is all about.

Tags: bluebox, dan york, podcasting

Late last night I uploaded Blue Box Podcast #4142. This show is a bit of a departure... in large part because I don't think Jonathan and I have probably laughed as much as we did in this show... largely due to the fact that we recorded it late one night last week after I had been driving 5 hours up to Ottawa and was very wired on caffeine... but also because it's the first time I have really ranted about a class of companies (It was really my rant - Jonathan was a calmer voice). In this case, it is the VoIP Service Providers who sat up on a Service Provider Shootout panel at the Internet Telephony conference earlier this month and, in response to my public question from the audience:

"All of this is going across broadband connections across theInternet. What are you folks doing to secure the connections to thesets that are in people's homes?"

answered that outside of authentication (which they of course need for billing), they are doing... nothing.

Odds are they actually are doing something to protect availability against DoS attacks (one would hope... but then again, one could be wrong), but it was very clear that they are NOT doing anything to ensure confidentiality. So anything you say over a line connected to one of those providers is in the clear and could be intercepted by someone who managed to get in the path of the RTP stream. Great! They all said they realized that they needed to address it and privately later some indicated it was on the proverbial roadmap.

I've written a draft article for the "Voice of VOIPSA" blog which, after I get a chance to re-read it, I'll actually post to articulate the problems I have this position. But essentially it comes down to this... without protection of confidentiality and with the continued deployment of more and more endpoints, it is only a matter of time before there is an exploit somewhere... some attacker records a juicy phone call over a VoIP service provider... and then it gets splattered all over the news outlets. Outside of the very real harm to the specific individuals involved, my other big concern is that the media will of course tar all VoIP with the same brush... and so we in the VoIP enterprise space who do have secure solutions will wind up with yet more barriers in the way of deployment as we have to overcome perceptions and objections set by the mass media. It's not a situation I want. Nor, I think, do most people.

Anyway, under the VOIPSA flag I am raising the profile of this issue so that hopefully it will be accelerated on service providers' roadmaps so that the issue can be fixed before it comes back publicly to bite us all in the collective tail. You can listen to the podcast for more info. (Or wait for me to push "Publish" over at the VOIPSA blog.)

Tags: blue box, bluebox, security, skype, voip, voip security

One of the things I first noticed in RadioTail Ripple was the list of referrers[1], and found that one that was bringing in a number of links was Hackermedia. Given that we try to stay on the "white hat" side of the ethical divide... and that you are often "known by the company you keep", I was a bit concerned when the first podcasts mentioned at the top of the page were "Binary Revolution" and "Sploitcast"... both of which I actually listen to, but both of which.... well... er... let's just say that their hats are not always white... or even grey.[2]

However, in looking over the page, the folks at Hackermedia have actually done a nice job of assembling various podcasts relating to security from all sides of the ethical spectrum. They also interestingly include some of the technology podcasts from NPR and PRI, as well as SecurityNow! from Steve Gibson and others of interest.

What is also interesting is the construction of the Hackermedia.org website. If you look at what they have done, it's quite neat, really. On either side they have a column with boxes for various different shows displaying the RSS feeds for those shows. Then in the middle they have a "Featured Show" box at the top and then a box showing what has been updated in the various feeds that are being aggregated into the site. This "Latest Additions" box is nice in that it is an aggregation of the various feeds, showing you what's new.

Certainly there are lots of other sites doing aggregation like this, but this is just one that I thought was interesting.

Note, too, that their use of our feed in this way is perfectly legal, given that we license the Blue Box feed under the Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License.

[1] In fairness to LibSyn, they have always had the ability to list referrers simply by clicking the black tab on the side - I just haven't looked for a while. I was exploring RadioTail Ripple, so I was clicking every tab and button.

[2] And if you don't understand the hat analogy... read here about white, black and grey. We security people do admittedly speak in funny ways sometimes.

Tags: blue box, bluebox, hackermedia, podcasts, security, security podcasts

Tonight it is pretty clear what I'll be doing... it's a long night of podcast production ahead. I have two "main" Blue Box shows to get out... the really wacky one from last week where I had way too much caffeine and had just been driving for 4.5 hours... and then the much more serious one that Jonathan and I recorded for release tomorrow.

Tomorrow, of course, marks the one-year anniversary from the first Blue Box Podcast #1 that I released on October 24, 2005. I just listened to that (short) podcast again, and had the following thoughts:

• I forgot how annoying that original intro was with all the phones ringing. Martyn Davies' music is much nicer, IMHO.
• Gee, I was talking about Skype security.... any surprise that one year later this is still a major topic in the show?
• I did use a phone ring to separate sections of the podcast. That's something I stopped doing at some point in favor of not breaking up the conversation and just letting it flow.
• VOIPSA was announcing the Threat Taxonomy and new website.
• Like we do today, we are still pointing to other podcasts out there.
• The format was more or less the same as what we use today.

In any event, tomorrow is that anniversary... so tonight, I want to finish up the show so that I can release it tomorrow. Fun, fun, fun.... (and actually, it is fun!)

Tags: blue box, bluebox, podcasting, voip security

Back in July, I participated in a Telecom Junkies podcast discussing the then-current Pena/Moore VoIP fraud case. At the time, the Voice Report team had a website that only showed the current episode, i.e. if you missed the appearance of the episode on the home page, there was no easy way to go back and listen to older episodes.

That is changed now. They do have permalinks for episodes and you can get an archive of older episodes. And so... ta da... you can now listen to the episode that we did back in July about the VoIP fraud case. Check it out if you are interested in that case. (Which we have subsequently discussed in a Blue Box episode where we recounted that Edwin Pena is now a fugitive on the run!)

Tags: bluebox, fraud, security, telecomjunkies, voip, voip fraud, voip security

We have been a wee bit busy over at Blue Box in recent weeks, but the results are now appearing. I've uploaded three shows in recent days:

• Blue Box Podcast #38 is perhaps the only place you can hear about fugitive CEOs, Phil Zimmermann, Paris Hilton, Skype security, Asterisk, SIP and the IETF all in one place!
  
  
• Blue Box Special Edition #10 provides a great interview with Gary Miliefsky of Netclarity where we explore his views on the future of VoIP security, NIST and CVEs related to VoIP, his company's tools and much more
  
  
• Blue Box Special Edition #11 dives into IMS security through an interview with Morgan Stern from Lucent who had just been on a panel at Fall VON 2006 on securing IMS. We cover his views on the challenges ahead for IMS, the various standards bodies involved, how to address lawful intercept and much more. Morgan also provided a copy of his presentation and links to a webinar on IMS that he recently gave.
  
  

All that and more is available... please do give a listen and let us know what you think.

Tags: blue box, bluebox, security, voip, voip security, voipsecurity

As noted over on the Blue Box site, a listener sent in an Asterisk config file that would, he believes, do the voicemail->email setup that I was requesting in one of the shows. I settled on a hosted solution, but decided to post the config file in case it was useful to others.

Tags: asterisk, bluebox, sip, voicemail

For those who follow VoIP security issues, I just uploaded Blue Box Special Edition #10, an interview that Jonathan and I did with Gary Miliefsky, founder and CTO of Netclarity, a network security firm that has moved into VoIP security within the past year.  He talks about his company, obviously, but also about VoIP security in general.

I also posted a note that we now have a comment line via SIP.  We have had a traditional comment line over the PSTN since the show began, but several listeners commented that as a show focusing on VoIP, we ought to have a way for people to leave comments over the Internet using direct SIP connections... so now we do!

And... we've already had one audio comment from a listener since I first posted that message earlier today!  Cool stuff!

Tags: bluebox, netclarity, sip, voip, voip security, voipsecurity

These last few weeks have been tough on the podcast production front. First, the laptop died, then, just as that was fixed, my desktop PC started acting up. Given that the desktop PC is where I record podcasts, this created a major problem. Jonathan and I actually recorded an episode on August 16th, but when I went to do the post-production, the problems with the audio were just way too numerous for me to easily edit out. So I just had to write that audio file off, purely for time constraints.

The good news is that for whatever bizarre reason, my desktop PC just miraculously started working normally again after a reboot. (This despite the fact that I had rebooted it several times while trying to track down the problem and had no luck at all returning things to working order.) So it appears that I am back in action on the recording/editing front.

The other piece of good news is that Jonathan and I were able to re-do the episode this past Saturday night and the recording went well. Jonathan was in Asia (spending time in Singapore and Malaysia where he is speaking tomorrow) and so we did the whole show via Skype. It had its moments, and I had to reconnect to him several times, but overall it went well. I'm hoping to do the post-production tonight and get the show up on Wednesday as per our attempt at getting into a regular schedule. We'll see.

Tags: bluebox, podcasting

Before leaving on vacation, I did upload Blue Box podcast #35, which among other things included a great interview with Miguel Garcia around the security of the evolving IMS framework. Definitely worth a listen, IMHO.

Tags: bluebox, security, voip, voip security, voipsa, voipsecurity