VoIP Now

The term SPIT stands for Spam over Internet Telephony, which may or may not include vishing attempts. I've never noticed this until recently, but on the Share Skype blog, each person commenting on a post has their Skype id revealed, as well as their current online status.

On the one hand, it's kind of cool because you can click-to-call that commenter. On the other hand, a spambot can easily harvest the page and compile a list of Skypers for later SPIT/ vishing activities en masse. It's possible this feature has always been there, but I've never consciously noticed. How do you feel about this? Do you think it's a big deal or nothing to worry about?

The Eye in the Sky: Pushing the IP Communications Envelope
There's been a lot of talk about SEDs - service-enabled devices. SEDs will have their own IP address and are thus pingable across the Internet. Now, imagine that you could query a satellite view a web browser. That's what Iridium is planning: satellites that monitor the Earth, taking pictures. And because they'll be IP-based satellites, Iridium can sell services over the Internet to clients who need to monitor, say, a facility.

Privacy Obligations For VoIP and Telecom Providers
The US FCC is rethinking how it will expect telecoms and VoIP providers to handle CPNI (Customer Propietary Network Information) data - or what amounts to call records and subscriber information. This is as a result of the Hewlett-Packard phone records pretexting scandal and similar cases. Privacy and Security Law Blog has more details on some of the new rules that may be imposed.

Cell Phone Been Bugged?
Despite all the issues of communications -related privacy and security, it's unlikely that most of us have our phones or IP communications bugged. But for whatever reason (jealous spouse, insane employer), if you suspect you do, check out Lauren Weinstein's post How to tell if your cell phone is bugged and the accompanying YouTube video Is your cell phone bugged?

This article about cell phone spam is now proven to be false, but the thought is frightening. Imagine if your cell phone number was legally allowed to be given to telemarketing firms, who could then call or text you mercilessly, all at a cost to you? Your monthly minutes would be eaten up fast. If it happened, would you throw your cellphone in the trash? If you have a contract, forget about it. It'll still cost you.

So let's hope that someone in Washington is at least aware of the potential threat and makes sure consumers don't get stiffed. Pretexting is bad enough; this would be even worse. On the other hand, I can "see" how a Linux-based cell phone could be programmed to auto-filter out unknown callers. Auto-blocking of unknown numbers should be a standard option. Does anyone know if any cellular providers offer this?

Of course, you can still get the equivalent of cell phone spam by using an email text-to-voice application and listening to your spam.

VoIP Comm Now Mainstream?
Ken Camp points out that VoIP is no longer a niche and that it's gone mainstream.

San Fran Wi-Fi Is No-Fi
At least for now, San Francisco is delaying their citywide Wi-Fi network. Again. This is the network that Google is involved in. The issues come from within city council regarding who will own the network.

US Cellular Network Outages Kept Secret
When cell phone networks have service outages in the United States, they aren't announced. In fact, the FCC ordered "wire line" suppliers in 2004 to report them, but in turn removed them from the Freedom of Information Act. [via VoIP and Enum]

Someone's psychology, sociology, and/ or electronic anthropology doctoral paper is lurking beneath all this latest research that shows phishers/ spammers/ scammers are using ever sophisticated methods to grab your attention so they can grab something of yours - preferably e-money.

Now I'm not going to get into the psych makeup of phishers; that's not my intent, despite my opinions. But the low cost of the latest communications technology and its ease of implementation makes it ever so much easier for you to at least be a target if not a victim. That means more vigilance in 2007 and beyond, as several experts are saying that the lastest avenues for phishers are vishing and smishing (SMS phishing). VoIP and SMS are, in fact, the latest tech platforms for phishers.

Tech intelligence and social intelligence seem unfortunately mutually exclusive in these cases. Fortunately, about computer-based crime in general, those getting caught are being given stiffer penalties.

VoIP sys admins will have another potential tool in their arsenal with new VoIP quality monitors
from Network Physics. The offering, called NetSensory Solution Insight for VoIP, works as an extension set for Network Physics' appliances. These extensions measure over 60 metrics related to VoIP call quality.

As I've pointed out before, there are many factors that affect VoIP call service, but I wouldn't have thought there were even 60 IP metrics, let alone that many that affect call quality. Things I haven't touched on before, which Network Physic's solution does, includes using the appropriate CODEC (Coder-decoder) algorithm. Essentially, there are different algorithms to compress and decompress digital audio data, and some perform on the fly better than others, depending on issues related to both network and computing resources.

Grandmaster Bobby Fischer caused a ruckus in the 1970s. when he he denounced the United States - where he grew up - and made pointed political comments. More recently, he renounced his US citizenship to avoid deportation to the US and a 10-year jail sentence. He also spoke in Iceland about President Bush's "regime". By comparison, Umakant Sharma, an Indian chess player, might be considered less trouble, merely cheating at chess using a Bluetooth device stitched into his cap. Now, this isn't the Bluetooth ski cap Motorola offers, but this certainly would be one unexpected way to use it. It's not like it's hard to configure Bluetooth headsets.

His accomplices would run chess simulations on a computer and relayed info to him. Sharma has been banned for 10 years. Maybe he can join Fischer on the fugitive lecture circuit.

Who woulda thunk it? Skype recently suffered from a Trojan horse attack in the Chat mode, which on some computers tried to get users to download an sp.exe file. Apparently, the Yahoo Messenger IM had a Trojan virus as well.

These events show that certain types of VoIP service are susceptible to some form of attacks. Now security experts have been saying that things will be worse in 2007. This is on top of vishing attacks, which are expected to grow. Add to this the fact that e-911 is being mandated of VoIP providers in the US by the FCC. This could be yet another advantage for pure play VoIP services such as Vonage.

It's pure coincidence but as I'm working on this brief article, I've just finished hearing Led Zeppelin's classic Communication Breakdown song. Radio 3net has their own 500 top albums for listening for free online. Yeah, 500. And all the classics are there; all you need is Windows Media Player to listen.

That said, this is a brief overview of some of the issues that could make or break how widespread IP communications becomes. Or at least delay ubiquity.

1. Countrywide bans.
   First, numerous countries in the Middle East and some in Asia (China, South Korea) either fully or partially banned VoIP services - except to the status quo providers in some cases. Then India, who recently allowed Yahoo to provide VoIP services, decided they were going to ban outside providers.
2. Jail sentences.
   Seriously?! Vietnam sentenced a South Korean business man to 16 years in jail after he set up five VoIP systems in Hanoi and Ho Chi Minh City (formerly known as Saigon). It's amazing to think that in the 21st century, there are still people in power who are short-sighted. Or do such people just gravitate to government? Why not absolve him, make him pay a provider fee and a fine, and actually utilize his entrepreunerial spirit? That would actually make sense. This is a similar VoIP crime to what five Asian men did in Namibia, but were out on bail.
3. e911, e999, emergency services.
   Or lack of them. Let's not forget that 911 in the United States was not ubiquitous until, I believe, the late 80s. Still, that's no excuse. In E911 still struggling after 10 years, Wayne Rash says that there's a 16% chance your wireless 911 call won't go through, or that the emergency center won't know where you are. Sad but true. (I didn't know that it's been 10 years since the US FCC mandated e911, aka enhanced 911.) In the UK, they call it 999, and pending regulations by Ofcom (the regulator) could put lives at risk according to ITSPA (Internet Telephony Services Providers Association).
4. Perceived security issues re closed protocols.
   I.e., Skype, which in some cases is the reason countries, corporations and universities have banned Skype in particular.
5. Wiretapping.
   Let's not be naive. Several countries including those considered democracies already have widespread wiretapping in place, whether you know it or not. But Internet tech experts have openly said that architecting a backdoor into VoIP soft clients is not only very difficult but a bad idea.

When Skype recently released its version 3.0 for Windows, it introduced a version that was harder for Skype blockers to detect it. No doubt this has caused grief in the hearts of all those sys admins in countries (and universities and corporations) who have been told to block Skype. Dal at AsteriskVoIPNews provides some technical details about how Skype achieved their cloaking, and what Skype blockers are doing as a result to detect and block the software.

Speaking of blocking, Nokia has launched their own VoIP blocker. What are they thinking? This is the company that announced IM over all their latest cell phones. Why do this then?

Skype's gone release mad these past few days. First it was Skype 3.0 for Windows Beta, then yesterday 2.5 for Mac Beta. They also released an update for 3.0 Windows Beta, and very quietly, Skype 3.0 for Windows - Business Version. What gives? Why not announce it? Are they shy because they themselves said Skype's not meant for the enterprise? The download page does say that it's only for experienced users, because they're still working on it.

The so-called "business friendly features" include a Windows Installer (MSI), increased security, easy deployment, admin control, and multiple account management from the "Business Control Panel". And then there's the standard features. I'll have to look into these further at some point in the near future (probably after it's out of beta), but this version could go a long way towards assuaging the fears that several companies and a few universities have had about security and other issues. And since it's still free, the monetization will have to come from SkypeIn, SkypeOut, and Skype-certified Wi-Fi phones, I guess.

Now, marrying Skype with an IP PBX, such as Pika Technologies has done, makes sense.

Almost every guy that's ever gone nightclubbing probably has the same goal: meet someone. For whatever reasons. And no doubt some have scored a phone number. Out of those, there are the guys that got a real number and those that got a fake one. If you sit back and think about it, it's understandable. Some guys are relentless, and women generally aren't very confrontational; at least not in the past. So to defuse the situation, some of them hand out a fake number. Well online dating has changed the entire dating game, the environment, the rules, etc., but the objective is essentially the same: meet someone compatible. But for women especially, some semblance of anonymity is desirable. To that end, a new service, MatchTalk, from dating site Match.com, uses VoIP technology from Jangl to set up calls between two members without revealing phone numbers.

It's nothing new; Jangl offers their own semi-anonymous calling. Match.com has just integrated Jangl tech [Alec Saunders] into their offering. MatchTalk sets up a unique phone number between each two members that want to connect, so their own phone numbers don't have to be handed out until and if they are ready. This is a step up from Verbdate, which reveals your Skype username if you allow it to be public. Now if someone just added semi-anonymous video calling, touch, smell, etc., nightclubs might just go out of style. But seriously, long-distance relationships would be easier to maintain.

Skype Enterprise Features Coming?
Skype execs have hinted at upcoming enterprise and call center features. So maybe this will be how eBay finally monetizes Skype?

Speed Demons
The 100-Gigabit Ethernet (100-GbE) technology is here, being demonstrated by a number of companies and the University of California Santa Cruz. A test run sent a signal from Tampa, Florida to Houston, Texas, and back - a first for a live production network. If I understand this correctly, IP backbones will get this technology fairly soon. And as 100-GbE becomes commonplace, likely in several years time, it should mean some incredible real-time video conferencing ability, superfast downloads of movies, and live video broadcasts, to name just a few benefits.

Legal Issues Surrounding VoIP Enterprise Implementations
TechRepublic details legal issues to be aware of when planning a VoIP implementation. They have real alphabet soup of issues, some of which I've only peripherally aware of: SOX/ Sarbox (Sarbanes-Oxley Act), GLBA, HIPAA, E911.

One hot voice application space that will be useful in biometrics is voice recognition [Unified Communications]. It's likely less disconcerting to users than, say, fingerprinting, palm vein scans, or facial recognition. This type of app has been around for quite some years, but accurate voice recognition has been waiting expectantly, ready to be called upon - something that's only now happening due to more powerful computers. And there is the potential to use it in mobile phones in the future - at least in my estimation.

To my knowledge, voice biometrics is hypothesized as being accurate - i.e., that human voices are unique enough that they can be used for user authentication purposes in mobile payment, secure access, or other applications. If this is indeed true, or at least sufficient for most authentication purposes, say coupled with a verbally-administered PIN code or password, then all that remains is the horsepower needed for mobile handsets. We live in interesting times.

If what Ken Camp is saying in Advances in 3G mobile solutions include facial recognition in video, you might want to make sure that you wake up on the right side of the bed. Imagine: your hair is mess, you're bleary-eyed, and depending on your inclination, your face is either unshaven or unmade. And guess what? Your mobile phone doesn't recognize you and won't let you place a call. Damn biometric machines. Always thinking for themselves and getting it wrong.

Of course, I'm exaggerating. You don't have to worry about video calling etiquette for video-based facial authentication. But there are experiments going on that use facial biometrics to control functions on a mobile phone. This includes more important functionality such as contactless payment, access control, and identification. The biggest problem I see with this, which Ken also points out, is environmental conditions (such as darkness) that might give an inaccurate biometric and thus lock you out. It'll probably take a few years for DoCoMo and others to work these issues out. But if they succeed, we'll certainly live in interesting mobile times.

VoIP Telephony Service blog has a list of six ways to block Skype using a variety of products and methods, plus a reference from another blog about a seventh. Most of the methods detect and block P2P (Peer-to-Peer) traffic, so it wouldn't be just Skype that's being blocked, but also torrents and other related applications. It appears that part of the fear regarding Skype is that customers are not sure what Skype is doing because its streams are encrypted. (At least, that's what the VoIP Planet article that is quoted is saying. Tom Keating also has an article from last year with some more indepth info about blocking Skype.

This is sort of what I was trying to get at when when I said that Skype was ruffling feathers. I love Skype just as much as the next Skype lover (and SightSpeed and a few other apps as well). But their lack of an open standard, as well as their relative popularity, is going to ruffle feathers. Phil Wolff gave a good explanation of why there are feathers being ruffled.

There has been some confusion lately about Skype's use in Jordan. First it was blocked for security reasons.  Then the decision was reversed. Then some blogs reported that it had been blocked again, due to an intent to protect the local economy. Apparently there's some confusion. David M. DeBartolo, a Fulbright Researcher in Jordan, interviewed the Jordanian telecom minister on Oct 17th and reported his findings in Skype Journal.

The minister, Eng. Omar A. Alkurdi, gave a response that sounds like something a typical politician would give. However, given that SJSU (San Jose State University) in California had planned to block Skype for security reasons (but backed down), it's possible. Apparently the minister is himself a Skype user. While Jordan may now have Skype again, a number of Emirates in the UAE (United Arab Emirates) is still blocking Skype, as is China, and with plans to do so in South Korea.

There seems to be a common refrain here, though. Skype's closed protocol seems to be ruffling feathers everywhere. Here's a prediction. Given a couple of years, Skype will either open up their protocol, or offer some way to make other VoIP services Skype-aware.

New Bloggers: Sightspeed CEO
Peter Csathy, the CEO of Sightspeed - the video and voice calling software - has joined the ranks of bloggers with his DigtalMediaUpdate weblog. [via VoIP Watch]

AllWorx Wins Telephony Award
The 2006 Internet Telephony Excellence Award, issued by TMC (Technology Marketing Corporation). has been given to Allworx for their 24x VoIP system. Allworx is a division of inSciTek, who earlier this year received US$2M in VC funding to expand their Allworx line of VoIP products.

Intrusion Prevention For VoIP
Industry Canada, an agency of the Canadian government that promotes the "knowledge-based" economy and business innovation, including telecommunications policy, etc., is working with Third Brigade to test "intrustion prevention" technology that safeguards converged networks (data, voice, video). [via InterGovWorld] Brian O'Higgins, co-founder and CTO of Third Brigade will be giving a talk in Ottawa, Canada, on Thurs Oct 19, 2006, about the state of the art of intrusion prevention in computer and network security.

The Swiss government is considering a piece of spyware-like software that would be used for wiretapping VoIP calls. The software would not be available to anyone except agencies, but one question is how it would be installed. Both The Register and TechWorld have written about it. If the Swiss government does this, it begs the question of whether any VoIP recording should ever be admissable in court.

If you've spent anytime on YouTube, you might have seen one of the probably many video mashups of some famous person reciting something, maybe a song. For example, this one of President Bush "singing" the lyrics from the U2 song Sunday, Bloody Sunday, which is about an awful event in Northern Ireland three decades ago. Watching the video, it's obvious that it's been mashed up, doctored, or whatever you want to call it. But had the video portion been removed and the intentional audio hiccups been cleared up, it might have been harder to tell that the audio was not authentic in that form.

Take things a step further, and you can see that with the right equipment, audio "proof" of VoIP phone calls could be concocted to make someone appear guilty of something. A frightening thought. In the wrong hands, people could be convicted something they didn't do. History has show this to have happened to dissidents, and not just in countries outside the USA.

The movie Minority Report, based on a Philip K Dick short story, comes to mind. Falsified VoIP recordings could be used to pre-convict someone. I know I'm simplifying, and I'm fully aware of a wide range of mathematical algorithms for analyzing sound. (I've written my own FFT (Fast Fourier Transform) software to analyze audio and visual signals.) I also don't want to delve too deeply into politics, but I'm concerned about acts like CALEA, and regulations on VoIP.

One of the great benefits about VoIP and IP telephony in terms of business use is that a voice call now becomes data. What that means, amongst other things, is that a VoIP system adminitrator can manage user accounts invidually or in groups. Access can be given to voice-related data - such as call recordings - in the same manner that computer file access can be given. It also means that a group of people can be given access to long-distance calling, file transfer, application sharing, or what have you, with relative ease. While traditional telephony offers some of these group-access features, VoIP telephony makes it fairly easy to implement advanced features without special phone lines or equipment. As well, VoIP calls are treated as a computer resource, so security is easier to implement.

VoIP Hacks
Congrats to Ted Wallingford on the publication of his book VoIP Hacks, which is out now. It has all kinds of tips to improve call quality, record calls, create special effects, and more. For example, a trick to sounding like Darth Vader. Might be great if a visher calls you. Silence!!! You begin to annoy me!!! I gotta get me to a book store. (Sorry, don't like buying books online, as I like tactile browsing.)

Virtual e911?
Tom Keating has a snortingly funny silly scenario about potential e911 confusion due to the Second Life online RPG (role playing game) having VoIP ability via Vivox and others.

Making Municipal Wi-Fi Work: Thoughts
The Pulvermedia website has a podcast of an interview with Don Fitzgerald, who is in charge of the municipal Wi-Fi project in Frederiction, New Brunswick, Canada. It's apparently the first city in Canada to offer free Muni Wi-Fi, although Toronto will probably be a close second. The interview is part of the series Canadian IP Thought Leaders.

Believe it or not, Google's official Blogspot blog was hacked over the weekend. Some wag posted, in bad grammar and spelling, that Google's click-to-call project was being cancelled. This of course would be odd considering this project is partly in collaboration with eBay. Click-to-call and VoIP SOA in general are too important a new niche of VoIP for a company as large as Google to suddenly change their minds after signing a big deal. It's not necessarily about immediate costs but more market share.

The Google blog has been hacked before. However,  no one is saying it, but it's probably some disgruntled outgoing employee whose access hadn't been terminated. That makes more sense and is less worrisome than if it was some random hacker outside the company. Om Malik wrote about the official stance from Google.

VoIP blogger Alec Saunders talks about a new Instant Messaging monitoring tool for parents that has been created by his friend Brandon Watson. Called IMSafer, it would run in the background on a computer, discreetly monitoring IM text conversations and using lexical analysis to determine if the person talking to your child might be a sexual predator. The analysis techniques used are the same used by law enforcement.

I have no children myself, but this is a wonderful idea. It's unfortunate that we need these things, but we do. And with VoIP use becoming more widespread, maybe someone can marry voice-to-text translation with something like KishKish lie detector for Skype and come up with something that can protect people from vishers.

In spillover activity spurred on by the recent Hewlett-Packard "phonegate" scandal, Verizon is suing 20 data brokers for fraudulent activity re pretexting. Pretexting is where someone pretends to be someone else so that they can access their phone records. Interestingly, the president and vice chair of Verizon is on the HP board of directors. Verizon says it has spent $100,000 investigate the pretexting fraud.

In related news, Democrats in the US House of Representatives, controlled by the Republicans, stalled a bill to make pretexting illegal. The activity is illegal in some states, including California, where the alleged activities took place. As part of an US House of Representatives probe into the pretexting scandal, five private investigators and at least two HP executives have been subpoenaed. HP is also under investigation in California.

The US House of Representatives has been busy subpoenaing people, including five private investigators and at least two HP executives, for the House probe into the Hewlett-Packard scandal. The whole mess was precipitated by now-former Chair Patricia Dunn when she had PIs access the private phone records of some board members.

Her actions were outside of any legal action such as CALEA. In fact, records were obtained by pretexting, an illegal method that involves having people impersonate someone else to access records. (I've had something similar happen to me. A now ex-friend impersonated me just over ten years ago and convinced my phone company at the time to transfer yet another person's phone bill to my phone. After a shouting match with the company, who denied they'd ever do such a thing - despite my friend's confession - I switched to cell phones, and now VoIP, and have not owned a landline since.)

Here's a quick roundup of what other VoIP/ IP media bloggers are talking about for IP communications ....

Om Malik at GigaOm says that VoIP loves small business but that maybe too many new VoIP startups are focusing on SMBs as their customers.

Cameron Sturdevant and the gang at eWeek Labs have been able to prove that VoIP can coexist with server security such as SSL (Secure Sockets Layer). Which I think means that businesses (and universities) can implement soft VoIP without the same concern for security as they might have had. Andrew Garcia, also at eWeek, offers an option for IT managers at SMBs who want to use VoIP but don't want to replace hardware: virtual PBXes. When you finish that, look at Garcia's article about some new VoIP gear from D-Link, including routers aimed at the small business market.

I have no previous knowledge of QQ is, but Phil Wolff at Skype Journal is speculating on a merger between them and Skype (as well as something eBay China being purchased by Tom.com, a Skype partner). Wolff also wonders if Skype could be like Mercora's IMRadio service, allowing you to build and broadcast your own Internet radio station. The technology's in Skype already. Hey, I've already watched Japanese TV from Skype.

Speaking of Skype, The VoIP Girl gives the lowdown on the meaning of all those shiny little icons in the Skype interface. She also throws in a list of VoIP services for Canadians, to supplement the ones Canadian tech blogger Mark Evans listed.

After the arrest of five foreign nationals in Namibia providing VoIP service without a license, as well as goings on in various Asian and African countries in regards to VoIP, you might be wondering if VoIP is under attack there. Marcelo Rodriguez takes a crtical look [Voxilla] at what Russell Shaw [ZD Net] and Rich Tehrani [TMC Net] are saying.

Rodriguez points out that both Shaw and Tehrani mention "Third World" countries as locales where VoIP seems to be under attack, possibly due to affiliations between the government and the traditional telecoms, but that they leave out the US as being in a similar category. (Examples: Korea and the UAE blocking Skype.) He then goes on to reveal several examples of lobbying, campaign contributions, and all-expense golf vacations.

The Voxilla piece is very revealing and extremely politically charged. I'm going to take my cue to up the voltage. Let's take a few separate scenarios. First scenario, conspiracy: the entire telephony system in North America is fully wiretapped and all calls are monitored either by humans or machines, for whatever political purpose the real men with power wield. Second scenario: the first scenario is crock, but phone calls are a valuable commodity and thus extremely lucrative. Third scenario: a combination of both the first and second scenarios.

Choose your scenario. Either way, VoIP threatens the status quo, and hence spawns acts like CALEA, possibly attacks on Vonage's share price, and debates like neutrality vs tiered Internet service. Everything that is happening politically in telephony satisfies one of those three scenarios. Let's face it: VoiP is a threat no matter how you slice your political pie.

Not too long ago, 23 year old Edwin Pena and his accomplice Robert Moore were arrested for stealing and reselling 10M minutes of VoIP service. Pena recently went on the run and is being sought by authorities for skipping bail. Now five Asian men have been arrested in Namibia for selling VoIP without a license, based on the country's 1992 Postal and Telecommunication Act.

Bail was set at N$3,000 each and was paid. But the group will have to return to court at the end of October and may face jail time. This seems way out of whack. Wouldn't a fine be sufficient? Skype had been told by the Korean government recently that they did not have the appropriate license. No fine was levied, and Skype stopped taking new memberships from Korean citizens.

The primary difference in crime between Pena/ Moore and the five foreign nationals in Namibia is that the former group stole service from other VoIP providers. But they went to great technical lengths to do so, and got away with it for quite a while. The Nambian five were caught when they tried to sell VoIP service to a member of the public.

Additional sources: VoIP News Australia, All Africa, TMC Net.

Some experts are saying that VoIP in the enterprise represents serious security risks [CIO], making a company vulnerable to vishing (phishing via VoIP) attacks. One anonymous security researcher claims that bank networks will be subject to penetration and the phone lines to hijacking - thus leading to the theft of credit card numbers and bank account data.

Now I'm not a VoIP security expert, but I can make an educated guess, based on my many years of computer experience, that this guy, who goes by the pseudonym "The Grugg", is grossly exaggerating the security issues, potentially to gain some attention. It's absurd to think that banks, who have been dealing with electronic security issues for several decades now, would even think to put their data and VoIP networks on the same lines. Besides telecoms, I've worked at a big mutual fund company. Even they had backup and redundant networks, with firewalled access to account information.

While it's likely true that little technology exists at present to filter out vishing attacks, there's nothing that says a bank's data network has to run on a VoIP network. And just because a bank's telecom system is converted to IP telephony doesn't mean the data network is suddenly at risk. In fact, if someone wanted to mount a vishing attack on a bank, they could do so already using an existing VoIP system (sorry, not going to tell you how). And they wouldn't have any more or less success than if the bank had a VoIP network or not. (On the other hand, a VoIP phone system could potentially be taken offline by a DDoS (Distributed Denial of Service) attack if a load balancing system is not in place.)

Despite what The Grugg (give me a break) is saying, I'm not so sure that bank data networks are at risk. Of course, I could be proven wrong, but let's hope I'm not, as this expert is saying that vishing attacks on banks will probably start later this year. I wonder how he knows this.

Steal VoIP, go to jail. Or if you're Edwin Pena, barely out of his teens, you go on the lam, possibly using your 40-foot speed boat, which was paid for by resold stolen VoIP service. Pena was arrested by Miami police a few months back, along with his buddy hacker. They supposedly stole and resold around 10 M minutes of VoIP service and were facing up to 35 years on a couple of charges. Pena skipped bail and is suspected of heading somewhere from where he can't be extradited. Time to bring in the CSI: Miami crew, though I'm not sure they've covered any telecom crimes to date.

These two guys are obviously bright minds, given the way they engineered their whole set up. Had they thought just a bit further, they could have been doing VoIP security consulting and making good money, instead of doing time. Given the shortage of skilled workers in the IP telecom industry, it's a waste. A good mind is a terrible thing to waste; a good VoIP mind even more so.

President Asks For Warrantless Wiretaps
US president George Bush is asking for warrantless wiretaps, particularly in relation to prisoners held at Guantanamo Bay. [via CNBC TV] Recently, US District Court Judge Anna Diggs Taylor ordered a halt to the wiretapping program, concluding in her report that warrantless wiretapping is unconstitutional. CALEA allows a backdoor for law enforcement agencies to wiretap calls if public security is threaten. However, the wiretapping program in question was secretly signed by President Bush in 2001.

Telus Corp Wins 5-Yr Telecom Contract
The government of the Province of Ontario (Canada) awarded Telus Corp (second-largest Canadian phone company) a five-year, Cdn$140 M contract to manage and supply various network services, including IP communication. [via CNW] Telus recently announced that they were converting to an income trust.

Yahoo Messenger Plugins: Pandaf Sudoku Battle
Not sick of the immensely popular Sudoku number puzzles? The Pandaf Sudoku Battle plugin for Yahoo! Messenger 8 lets you battle against an opponent. I assume you race to finish first. This is of course quite the variation on the puzzle, as it's traditionally a one-player challenge.

Stratus Techologies Acquires Emergent
  Stratus Technologies announced the US$10 M buyout of Emergent Network Solutions [Extreme VoIP], a VoIP infrastructure company.

Jupiter Web is giving away free copies of the Avaya edition of VoIP Security for Dummies eBook (PDF, 68 pages) in consideration for people joining the Avaya developer community. The link was sent to me in a regular Jupiter Web email, so I cannot guarantee you'll be able to use it, but I don't see why not.

The ebook is pretty "dummy-ish", in the sense that they've simplied a wide range of IP telephony security issues and summed each of them up in a few short paragraphs. It even mentions privacy issues such as CALEA (Communications Assistance for Law Enforcement Agencies) and a number of US govt regulations that add up to considering why you should record VoIP calls in your company.

This is certainly not a book you would use to actually implement VoIP security measures, but it's not a bad place to start if you feel you don't know enough about the issues, or don't know where to start reading about them. (The book is of course geared towards discussing Avaya solutions, so it's not exactly vendor-neutral.) You can sign up free (just your name, email, and job function) at this Jupiter Web page and download your copy.

Your company has sensitive information and you think that one of your high-profile board members - not employees - is leaking details to the media. What do you do? If you're Hewlett-Packard's Chairwoman Patricia Dunn, you hire private investigators and obtain phone records [CRN] for the suspects. Problem is, those investigators used illegal means to acquire those phone records. Now, the California attorney general is investigating the whole mess.

Acts like Sarbanes-Oxley (aka Sarbox) were designed to protect investors by instituting a number of measures that would ensure transparency in accounting procedures of public companies. The act might even be interpreted in such a manner that a company would decide to record all employee conversations for Sarbox and even CALEA reasons. In this case, however, the records of home and cell phone calls of board member George A Keyworth were obtained, which I'm assuming is out of the scope of both Sarbox and CALEA.

In light of this, I'm wondering if soft VoIP calls stand a chance of not being put under the domain of CALEA. Soft VoIP does not yet have a backdoor (for law enforcement) for recording calls, but some politicians are pushing for it, for dubious reasons.

New software designed for laptops, intended for Army and medical personnel in Iraq, translates English-Arabic audio conversations in near real time. The software, called IraqComm, records spoken words, translates them, and plays the translations. The process takes a few seconds. The predecessor to IraqComm was a handheld device called Phraselator. [via Technology Review]

While IraqComm is currently for military evaluation only, it is also intended for a variety of other users. It shows the potential market for automated language translation tools. It certainly would be nice to have something like this for Skype which, to my knowledge, only has something like ULRTMT, that translates text nearly on the fly.

It's always nice to see VoIP being used in unique new ways, and that's exactly what InnovAlarm is doing. Imagine home and security alarm systems, but which use Skype or another soft client instead of regular phone lines. The service is in pre-beta. [via Read/Write Web]

The only drawback with this application is that your computer has to be turned on. I'm wondering if there's a market for a similar solution using phone2phone with a VoIP bridge, using hardware such as Digifone's plug'n'play adapter. Phone2phone VoIP calls generally seem to have better quality.

There's obviously a perception that there is a market for InnovAlarm's method. In fact, Read/Write Web reports that the company will be getting $10 M of venture cap in Q4 2006.

CALEA, or Communcations Assistance for Law Enforcement Act, has a lot of misconceptions surrounding it in terms of its applicability to VoIP, as well as security issues. The IT Association of America (ITAA) has isued a report (PDF, 21 pgs) to educate VoIP service providers.  [source: TMC Net]

The deadline for CALEA compliance for VoIP providers is May 14, 2007, and the ITAA questions the ability of smaller providers to comply in time, due to the expected financial cost. Amongst other things, they also question whether standards can be developed for CALEA for VoIP because of all the different VoIP types. The ITAA paper includes Vinton Cerf of Google as an author.

Another group, GLIIF (Global Lawful Interception Industry Forum) issued a rebuttal (PDF, 8 pages) with pretty much the exact same title as the ITAA document.

My pure gut instinct says that the GLIIF report sounds like a bunch of companies protecting their own investment in future CALEA solutions, because my educated guess indicates that their main rebuttal points are in turn refutable. In fact, from the glance I had at the GLIIF document, it contradicts the opinions and public statements about CALEA made by many well-known Internet experts earlier this year.

However, that's just my feeling, and without reading both documents thoroughly, I'm not make any definitive declarations. Ultimately, whether I support it or not, I think all types of VoIP calls will be wiretapped - maybe not immediately because of technical issues, but eventually. It's been that way for decades with PSTN lines, and governments are just not going to give up that kind of surveillance power. (Having worked for telcos, I've heard things that worry me, but things aren't going to change, especially in the current climate of fear.)

Hackers-cum-researchers performed an interesting security-testing experiment earlier this year using VoIP phone numbers and Internet social networks. They presented their findings recently at Defcon.

Their primary plan was to determine if secret signals could be passed right out in the open, from enemy agencies to their agents. They theorized that the use of social networks to transmit carrier messages might increase the noise ratio so that it would be harder for "unauthorized parties" to decode the secret but publicly-transmitted messages.

This is in fact a technique already used covertly by intelligence agencies. However, they use shortwave numbers stations, and all governments have denied such operations. The general technique is to broadcast streams of seemingly nonsensical numbers or words, often in a female or child's voice. Of course, the stream represents a code, and only a few parties have the cipher to decode it.

Strom Carlson, a security researcher, and the hackers collective Project Evil teamed up to see if someone could do the same thing using the Internet, particularly using any of the abundant social networks out there. What they did was set up their own numbers stations. But instead of using shortwave transmissions, they used VoIP phone numbers and recordings. If you called such a number, you would hear a stream of code words. They advertised the existence of the VoIP numbers stations using Craigslist pages, using fake messages, to see if anyone would participate.

In short, they were successful getting others with a cryptographic interest to participate and decode messages using a one-time key. They figure enemy forces could be too. This is something proponents of CALEA may want to take note of: if hostile parties want to use VoIP, they are not necessarily going to use unencoded messages. (On the other hand, this experiment by Carlson might just give CALEA proponents more fodder.)

CALEA stands for Communications Assistance for Law Enforcement Act, and, in short, gives any Law Enforcement agency the right to wiretap communications networks, including the Internet and VoIP, in special circumstances. Although to date, it's not on the agenda to tap soft VoIP calls using clients such as GoogleTalk and Skype.

Of course, there are those people that believe that email spam is being used as numbers stations for intelligence communications. Although who is behind it is hard to say. (I particularly notice some interesting word patterns in the spam in my university alumni email account.) Public key cryptography concepts date back centuries, and the Internet is a perfect distribution vehicle. Just never thought VoIP could be used as a supplementary broadcasting outlet.

Additional sources: Slashdot, Homeland Stupidity, Defcon.

By now you've likely heard that a clone of the ultra-popular Skype VoIP client was supposedly created by reverse engineering. Charlie Paglee, a blogger and head of VoIP provider Vozin Communications stirred up the Internet recently when he claimed a friend called him from China with the supposed clone, a screenshot of which is posted at his VoIPWikiBlog.

Skype has denied the claim. Because Skype's system is proprietary, there is nothing officially compatible with their soft client. Skype must have been sure that no one would crack their code, though, because apparently, they never patented their protocol.

Art Reisman thinks the Skype clone is unlikely and gives a great explanation of why (via a discussion of encryption), and why it doesn't matter. Even if a clone did exist, for Skype, a large-scale migration to clones would crash their network, but would not otherwise be a security risk.

Security issues are more likely to occur in other components of VoIP systems, such as the hardware or software switching mechanisms, particularly in PBXes (Private Branch eXchanges).

In fact, two flaws have just been patched in Asterisk, an open source VoIP PBX package. The flaws, were they not patched, could lead to DOS (denial-of-service) attacks, thus bringing down a business's VoIP phone system.

DOS attacks have been used in the recent past to bring down websites for a variety of reasons, including attempts to take the site over, or just have mischievous fun. In the case of enterprise VoIP phone systems, the purpose would be to inhibit a business' telephony functions. For some businesses, that obviously means a temporary shutdown of operations.

A DOS attack is usually accomplished by overloading a web server or, in this case, a VoIP PBX. Version 1.2.10 of Asterisk PBX has fixed the flaws in the IAX protocol that would have allowed DOS attacks.

Additional sources: [ZD Net UK, CIO Tech Informer]

If you're using VoIP and do not have a "real" phone number to go with it, it may affect your ability to conduct banking or carry on the way you would with a regular phone or cellphone. That's according to Nuno from 21 Talks, who is quoting Brian Youngblood.

Youngblood's experience was that he called customer support at his bank using SkypeOut, and because that person could not tell what number he was calling from, they flagged his account. Unwittingly, he tried unsuccessfuly to pay for lunch the next day with his ATM/ debit card. That's obviously a good thing in terms of banking security, but also an unexpected convenience. Not displaying a real phone number might become a problem for some VoIP services.

Interestingly, I used Skype last night to call my own cellphone and the display said the caller was "0123456". Then I used Skype to call a buddy (one who has no voice mail and no cell phone and never intends to get either) and his display said "long distance - unknown caller". He's probably an extreme case, but seeing "unknown caller", he would not have answered his phone. That's just the way he is. In fact, the only reason he did answer was because I'd called him from my cell a few minutes previous to let him know what I was trying.

I had another experience yesterday with Skype, that may or may not have been because of the "unknown caller" issue. I called one of my website hosting providers - a very large, very well-known hosting provider - to fix a tech issue in trying to sync an existing web domain of mine with a newly purchased hosting plan.

The guy who answered didn't say anything about the audio quality of the call, but he was unusually rude and short-tempered. I'm not big on their atrociously confusing website or their customer service in general, and I only called once before. That was from my cell phone, and it cost me big because they do not have a 1-800 number (they are a budget host after all).

The result was that I didn't get my issue resolved, and cannot do it via email. What could have been a good experience in customer support most definitely was not. (Although I suppose it didn't help that I didn't know the 4-digit pin on my account, which someone else normally manages.) For now, though, I'll stick to email support and filling out annoying, hard-to-find web forms with some companies, or use a regular phone in situations like these.

Phishing is defined as the act of sending targeted, unwanted emails to people in the hopes of tricking them into giving up their financial details, be it credit card numbers, banking codes, or even Paypal or eBay account information. This is usually accomplished by getting the victims to click on a fraudulent website link, using the graphics and text copied directly from a legitimate service-based website. Phishing is related to spam but is typically more targeted to small groups of people at a time. Unfortunately, people are falling prey to phishing, and because of past successes via email, it didn't phishers long to apply their wiles to VoIP.

Vishing, or VoIP-based phishing, is already becoming a problem, according to a couple of very recent reports. With the proliferation of free VoIP software and services such as Skype, Sightspeed and Gizmo Project, it's also easy when the software often has SDKs (Software Development Kits) that can be used to build vishing applications right into fraudulent websites.

PC World reports that such fraudulent websites sometimes appear to offer financial services. Such sites offer a "Skype me" type of button, which legitimate sites also offer. But when you call the fraudulent site's Skype phone number, they ask you via recorded message to leave credit card details. Another new scam is getting auto-dialed calls via VoIP telling you that there are problems with your credit card. An IT Observer article elaborates further.

It goes without saying that vishing is going to be a big problem if there isn't a concerted effort in the VoIP industry to come up with solutions now.

Additional sources: Business Week.

VoIP ubiquity in software and hardware [1, 2, 3] is just around the corner, and it's likely to come in (now) familiar packages. Some of these VoIP voice applications are already here, some just arrived, and countless others are on their way. Imagine being able to initiate a VoIP call via Microsoft Outlook, just by clicking on a contact's name in your address book. Your familiar email client becomes a VoIP client. Or maybe you want to send a Paypal payment via Skype, or track and buy something from an eBay auction via Skype.

Of course, you can already do all of those activities, and many people have. I don't have sales figures for Skype-based Paypal payments, but it's pretty obvious that electronic payments in general are increasing. That's true whether via the Internet, through RFID-enabled smartcards or smartphones, or with biometric devices that incorporate RFID. In fact, it's said that India will have the largest market for contactless electronic payments via cell phones, with possibly up to 100 million users.

While I have a bit more faith in the security of hybrid biometric-RFID contactless payment systems, I'm not so sure I'd want my cell phone, or Skype or Outlook software, to be able to make a payment without my explicit authorization. So it made me wonder if there could be some way to authorize e-payments via VoIP, in terms of a digital audio voice signature.

The theory's long been put forth that each human voice is unique (notwithstanding comedian and impersonator Rich Little). While that theory has had a bit of difficulty in courts of law in the past, newer research suggests that it's true. It wouldn't be all that difficult, then, to take a voice scan for authorizations as an alternative to fingerprints.

It's my feeling that such an alternate will be more welcome than biometric scans. The reason for this may be purely psychological. Human beings have been familiar with voice recordings for decades. So recording their own voice does not make them uncomfortable. Biometrics, on the other hand, is a new science and the general populace does not have first-hand familiarity with it, unless they work in secure-access offices, military bases, or laboratories.

Of course, biometrics could be combined with VoIP technology for secure authorizations. However, my feeling is that such a combination would be unnecessary and more costly when digital audio voice signatures could be used reliably instead, and would probably have wider acceptance.

Sources: Owl Investigations - Aural Spectrographic, TC-Helicon - Voice Modelling Parameters.

Unless you've been sleeping under a mushroom, you probably know that North Korea's leader, Kim Jong-il, stirred from his dormancy and fired off not one but seven missiles, even after several countries cautioned strongly against it. Warnings of this may or may not have been this reason why South Korea suddenly backed off, a few days previous, against blocking VoIP calls by U.S. Forces Korea members.

South Korea had originally planned to block out U.S. calls due to non-compliance to their Telecommunications Business Act. However, at the request of US Forces Korea, they agreed to suspend the deadline.

It all begs the question, however, of how secure VoIP really is that the US Military would allow its individual members to use it. Or why they wouldn't set up Internet access, say, via satellite.

VoIP may generally be considered insecure, but it doesn't have to be. Calls could be encrypted and decrypted on the fly, by caller and receiver, respectively. However, to reduce the lag time on such encryption, the process would have to be done on small packets of sound, possible a few seconds at a time, else non-computer VoIP phones would have an extra processing burden.

Now, without delving into the inner workings of existing VoIP services, I'll hazard a guess that there already is some level of encryption conducted on VoIP calls. However, with encryption laws in the US and Canada being fairly strict (against exportation of algorithms), the level of encryption might actually be quite low.

Of course, the real issue in South Korea is over the ISPs that regular officers use to access the Internet and make VoIP calls. The service provider(s) they use allow unlimited VoIP calling, which the three South Korean ISPs who requested the US military block are upset about.

I seriously doubt, however, that the US Military's necessarily secure communications are being conducted via the same ISPs that individual members of the military are using.

On a related issue, Skype was recently told by South Korea to stop signing up new SkypeOut customers, until Skype adheres to telecom laws - in particular, two e-business codes. In fact, Skype's Korean Market Manager recently issued a statement that Skype was not currently doing business in South Korea.

It's interesting to note that South Korea has been a center of a considerably number of technology trials in both VoIP and RFID technology. Part of the aforementioned restrictions have to do with protecting the interests of South Korean companies.

Sources: Stars & Stripes, ZD Net Korea [via Skype Journal].

New technologies have always had their naysayers and VoIP is no exception. It's the target of a lot of misconceptions, and it'll take some time before consumers understand as well as they do regular phone systems.

Some people have actually openly stated, in comments on websites, that VoIP is a passing fad and that it'll go away. There is also a perceived jealousy towards VoIP from the perspective of old school telecom, which might be a motive for bringing down recently-IPO'd Vonage (NYSE: VG). Bring down the stock price, then either buy them out or bury them. However, there is no way VoIP is going away. Vonage was just unfortunate to be the first VoIP provider to become a publicly traded company.

Unfortunately, the criminal element will always find a way to abuse technology. But this pair strikes me as very odd. Two American men were recently charged with telecom fraud after they re-routed about a half-million VoIP calls through at least 15 VoIP providers' routers, around the world. The descriptions I've read about how these guys did it made me wonder just one thing: what were they thinking?

It appears that these guys had to have the brains to pull off what they did. It took a fair bit of technical skill and networking knowledge to reroute their customers' calls through other providers services. The technical description of their activity proves that.

But it's such a shame that they employed their obvious skills in such a manner. Instead, had they just thought a little bit more about the situation, instead of committing fraud, they could very likely have turned their knowledge into VoIP security consulting and made a nice living. And they would have stayed out of jail and not given VoIP publicity a black eye. A missed opportunity for sure.

The researchers at Cambridge University and the Massachusetts Institute of Technology (MIT) suspect that the VoIP software like Skype can be another tool for hackers to gain access to user's computers. While the Communications Research Network claims that it is only a matter of time before the technique becomes   mainstream and turn out to be the same problem that instant messaging has where hackers cause DoS attacks using the IP protocol. The communications experts believe that the hacking problem could be removed only when the VoIP publishers were to make known their routing specifications or switch over to open standards.

Via: [Breaking News Blog]

US courts have said that authorities can continue tapping of VoIP calls and VoIP providers must provide access to their networks.

According to Kevin Martin, court chairman:

Enabling law enforcement to ensure our safety and security is of paramount importance. Today, the United States Court of Appeals for the District of Columbia Circuit affirmed the Commission's decision concluding that VoIP and facilities-based broadband internet access providers have CALEA obligations similar to those of telephone companies. I am pleased that the Court agreed with the Commission's finding, which will ensure that law enforcement agencies' ability to conduct lawful court-ordered electronic surveillance will keep pace with new communication technologies.

A deadline of 14 May 2007 has been set for VoIP companies in order to comply with the decision.

Via theregister

CounterPath Solutions and Convergence have entered into a partnership for offering bullet proof VoIP security. CounterPath’s eyebeam 1.5 Video SIP softphone has been certified by Convergence for use with its Eclipse SIP security and management offering.

The companies are offering customers VoIP security which prevents any unauthorized access to user’s call and protects the service providers from attacks meant to disrupt or disable their service. The companies are trying to lessen concerns regarding VoIP security that continue to present a major obstacle for organizations seeking advantage of the benefits of VoIP.

Via vnunet

SIP has become the call control protocol of choice for VoIP networks because of its open and extensible nature but the integrity of call signaling between sites is of utmost importance and SIP is susceptible to attackers if not protected.

It is a security mechanism which has been defined by SIP RFC 3261 for sending SIP messages over a Transport Layer Security encrypted channel. Transport Layer Security can be repurposed for protecting SIP session communications from eavesdropping or tampering. Deployment of SIP based devices benefits network administrators from increased levels of security for their VoIP networks.

via techworld

VOIP security is one the main, if not the main topics at the ongoing Interop in Las Vegas. Since it is already clear that VoIP over WiFi will be big thing, many vendors are promoting their software solutions for a secure VoIP over WiFi.

This time around, the fear indeed is real and not a mere marketer's gimmick. For example, Trapeze is going to introduce two new security features that come with the upgraded version of its Mobility System Software.

Expect more vendors to address VoIP security in the days to come.

Via CRN

Cloudmark, Inc., which develops messaging security solutions for VoIP service providers, business users and consumers, claims that it can identify and block phishing attacks carried out over voice over IP (VoIP) systems. Most of these spoofs are aimed at users of any online financial service.

In such cases, users receive emails form scammers posing as bank or financial institution of any kind to spoof an unwitting target's financial institution. These emails tell you to dial a number and enter your personal information if you want to access your account.  Of course, the first thing to do when users receive such emails is to notify their service providers immediately.

Cloudmark combines a global threat detection network that uses real-time reporting by trust-rated users, with a unique fingerprinting technology. Thus, Cloudmark can easily identify and begin blocking new spam, phishing and virus attacks immediately.

Via MarketWire

Organizations around the world, including businesses are investing millions in VoIP-ready systems. However, they are still to fully grasp the security implications related with VoIP.

Data Network security must address a range of threats ranging from network-clogging unsolicited 'special offers', to unauthorized eavesdropping. Customers can easily lose voice communications if their network runs out of bandwidth.

Organizations engaged in data-sensitive businesses such as finance and government & defense need to be more aware of the security problems.

Starts with a VoIP-enabled firewall, an area a number of VoIP vendors are paying increasing attention to these days.

Via IT Wales

Take for example, Security software vendor Certicom. The company will ship a security software suite later this year specially targeted at desktop and mobile VoIP (voice-over-IP) handsets. The suite, called "Certicom Security for VoIP", will support Windows XP Embedded, Windows CE 5.0, and Windows Mobile 5.0, among other OSes. The software will protect signaling and media channels, plus including mobile phones with FMC (fixed-mobile convergence) capabilities.

Read More

Certicom has launched Certicom Security for VoIP in order to provide developers with means of easily and cost effectively secure devices as well as protect the signaling and media channels. It is a flexible, standard based solution for desktop VoIP handsets and mobile VoIP devices.

It consists of multiple, integrated modules that implement key security protocols such as SSL/TLS, DTLS and IPSec. It also offers trusted boot, cryptographic algorithms, secure provisioning and code signaling technology which is key to securing advanced applications such as IMS and UMA.

via [NewsWire]

Australians may have wholeheartedly embraced VoIP over the last twelve months but the internet protocol telephony also becomes a favorite target of malicious activities. James Scollay, Messaging security company MessageLabs's Asia-Pacific vice-president while detailing his next year plans on net phone security management says, "VoIP is very clearly a likely next target in information security, because it is close to the critical mass needed to make it worth a criminal's time to target it.” He further says that ever increasing use of VoIP will only lead to a flood of spit that is spam over IP telephony. Theft of VoIP services will no more be uncommon and by illegally entering into a VoIP network people will make outbound calls.

Via [TheAustralian]