Is Security Holding VoIP Back?

phoneboy writes "Voxilla is running a piece I wrote on security issues present in Voice over IP. While an increasing number of people are ditching their ILEC in favor of using Voice over IP from companies like Vonage, VoicePulse, Packet8, and Broadvox Direct, there are a number of potential security issues to be aware of. Is VoIP secure enough to replace the PSTN as we know it?"

As opposed to the security of PSTN?

[bc90021]

Considering we've been using PSTN for about a hundred years, and we've had absolutely no security whatsoever, something based on IP should be better. There are workarounds, at least, for the lack of security in IP; there aren't as many (if any) for PSTN.

Re:As opposed to the security of PSTN?

[Mysticalfruit]

I would think that this would be a perfect situation for public/private key encryption.

When you connected to someones VOIP device, it would merely pass you their public key.

Re:As opposed to the security of PSTN?

[firstadopter.com]

Agreed, nothing is inherently secure as the FBI's new proposal for wiretapping comes out.

Re:As opposed to the security of PSTN?

[robslimo]

I agree. I also think the cost of POTS is still pretty cheap, especially so with today's low LD rates. Example: I live in Oklahoma and it's costs me $0.08/minute to talk to my in-laws in Beijing and $0.07/minute to talk to my sister in Minneapolis. Go figure.

There has to be a real economic incentive to a household or company to roll out new systems to implement VoIP. It ain't here yet, but it'll come.

-----------------
And now, for something completely off-topic:

As of 10:57:22 PST, the last contender(The Golem Group) went to status Disabled.

A total of 28 miles were collectively traversed, with no participants getting past the 7 mile mark.

Thank you all for participating; we hope to see you all back here in 2006 for another try.

The 2006 event should be a real treat as we'll have clowns, jugglers and dancing girls. We'll also be introducing a new competing class called "Autonomous Disabled Autonomous Vehicle Tranport." The race for this class will begin 1 hour after the start of the main competion.

Re:As opposed to the security of PSTN?

[jayminer]

IP security would be easy to provide using many of the decent implementations of IPSec, but the most important problem of VoIP is that it is vulnerable to any kind of DoS attack.

The PSTN/POTS service is also on a publicly switched network, but controlled by central authorities. However, noone will try a DoS attack by constantly ringing your phone and making it busy.

Re:As opposed to the security of PSTN?

[hikerhat]

Well, you can't send an html email to a phone that tricks the user to click a link that installs a trojan that records all your phone calls and uploads them to an IRC chat room at midnight, all without leaving your parents basement. So even though there is no security on current phones, it takes a bit more effort to listen in on their calls. The minimal physical ability required to climb the phone poll rules out most chee-toe eating script kiddies from tapping your phone line.

Re:As opposed to the security of PSTN?

[ComputerSlicer23]

Ever heard of "man in the middle". Never trust a public key, just because it is public.

You should get signed keys, or keys directly from the person you want to be talking with. If the somebody wanted to break your security, all they have to do, is be upstream from your ISP. Capture the broadcast of the public key, send you a different one they have the private key for.

Now there are exchange methods that you can use in public, but just passing a key in the clear isn't a good idea. Normally there is some type of key exchange before hand, a trusted third party, or a web of trust used to establish identity, and the trustworthyness of a public key.

Kirby

Re:As opposed to the security of PSTN?

[iminplaya]

Maybe that's the deal. VOIP is too secure for the FBI to allow to become widespread. Am I paranoid enough?

Re:As opposed to the security of PSTN?

Amen to that - PSTN was never secure. VoIP can be MUCH more secure. Starting with the ability to control who calls you, where they come from, and whether or not they are impersonating someone else. Even PSTN CallerID is trivially spoofable. What privacy? Get OE. Start with encrypting everything - check out http://www.ietf.org/internet-drafts/draft-richards on-ipsec-opportunistic-13.txt and http://www.freeswan.org/freeswan_trees/freeswan-2. 05/doc/quickstart.html A future revision will explain how to do it through NATs. What? Your VoIP box doesn't support OE? Tell your vendor to fix it, or put it behind a Linux firewall.

Re:As opposed to the security of PSTN?

[lussmu]

Well, the problem is a bit more difficult than that. IPSec can be used with VoIP, but it isn't particularly efficient. There are special IPSec for VoIP specifications, so the problem isn't encryption, but the lack of certificates. Public key encryption is always vulnerable to man-in-the-middle attacks, be it SSH or SSL web traffic.

I'm guessing this might hold VoIP back for a little while, but when VoIP will be deployed large-scale, we will for sure see people having personal certificates. Right now, a real non-test certificate from verisign for a company web server costs 895 $ but I could see the prices going down for personal certificates, when markets for those would start to appear.

Or then there's the Finnish model, where you can get an electronic ID just like you can get a regular ID from the government. The electronic ID is the regular plastic ID card with a smart card chip. You get two certificates from the government-operated CA. All this for the measley price of 40 euros. This would be a viable choice for private persons too.

There is also a SIM card version (a WIM card) designed that will come out in the future.

Re:As opposed to the security of PSTN?

[Rick+the+Red]

Am I paranoid enough?

As long as John Ashcroft and his ilk are in charge, you're not paranoid at all. They really are out to get us!

Re:As opposed to the security of PSTN?

[SatanicPuppy]

Well, except for the fact that PSTN is based on hardware which is, by and large, too stupid to hack, whereas VOIP is pre-eminently and provably hackable.

Anyone remember the little scandal thing last year where someone was hacking cell phones that had public IP addresses? I think they definitely need to work on some encryption for VOIP. Everything I've seen with it to date has run with PTP tunneling because of the lack of security, and you could tell, bandwidth-wise.

Re:As opposed to the security of PSTN?

[gnuman99]

All that is required is that each adaptor gets a key signed by the VoIP telecom company. That would be just as safe as it is with PSTN - only the telecom could be the "man in the middle".

Re:As opposed to the security of PSTN?

[iminplaya]

Business as usual. It's really no different than Nixon, J. Edgar Hoover, etc. Only then it wasn't Al Quaeda(el queso, whatever). It was the the Black Panthers.

"Meet the new boss
Same as the old boss..."

Re:As opposed to the security of PSTN?

[Grant_Watson]

...only the telecom could be the "man in the middle".

I hope there's a better way. I realize that this is an improvement over the current system, but why settle for that? I don't think they're going to run around selling trade secrets, but still, does anyone trust telecoms?

Re:As opposed to the security of PSTN?

[Rick+the+Red]

The difference is that Hoover didn't care if what he learned wouldn't stand up in court, because he was only interested in blackmail to keep his job. Same with Nixon. Ashcroft wants to use what he learns in court, so he wants Congress to legalize the crap Jedger and Tricky D. used to pull.

He also doesn't want to bother with all that nasty detective work to decide whose phones to tap, he wants to read all the mail and listen to all the phone calls and sort it out later. Personally, I have no problem with this, as long as John Ashcroft's mail and phone calls are all made public so we can play, too.

Re:As opposed to the security of PSTN?

[devilspgd]

Why buy from Verisign? If we're talking a telco deployed system (Vonage, etc) have them sign it.

Now, if you're talking a "every man runs his own VoIP" environment, or one which doesn't have a small number of key players, then certificates are more important, but even then, a web of trust model could help.

Re:As opposed to the security of PSTN?

I wouldn't necessary state that. There were people in the 80s who "warred" with other groups by making the group member's phones busy.

However with the phone system being mostly digital now, there's very little chance of that happening. It's simple to figure out who's doing what and for law enforcement to slap them. Usually. If you bounce through several PBXs in and out of the country it may take a while, but everything's recorded now so you're generally pretty screwed...

Re:As opposed to the security of PSTN?

[collinl]

I think this PKI-edness of VOIP is basically silly.
I can receive a phone call, or make one at any PSTN phone.
With PKI based VOIP, I can only answer the phone, or make calls, from a single machine.
Why remove that level of flexibility just to cut out the telco?

A better idea might be to secure the link to the IP-based switching centre, and let their directory service manage the link to the remote end, including confidentiality, authentication and so on. Sounds a lot like a telco to me.

Re:As opposed to the security of PSTN?

[jone_stone]

Unless everything I've learned about public key cryptography is wrong, your proposed situation can't happen. Under that situation the responding party, which is using the false public key, would send encrypted information that the first party couldn't undertand (because it was encrypted with someone else's public key). So yeah, this kind of thing could happen, but at least one side would know that something was wrong. At best this is a problem that someone can impersonate someone else, not that lines can be tapped without the participants' knowledge.

-David

Re:As opposed to the security of PSTN?

[mpe]

Considering we've been using PSTN for about a hundred years, and we've had absolutely no security whatsoever,

Especially with SPC telephone systems where a "tap" exists only within the software of the system. Known only to the people in charge of the switching software. To the point where it is perfectly possible for lines to be tapped without the knowlage of even the telephone company and criminal gangs being able to place taps on police phones.

Re:As opposed to the security of PSTN?

[mpe]

Maybe that's the deal. VOIP is too secure for the FBI to allow to become widespread.

It's kind of hard to tell what kind of data an encrypted VPN tunnel might be carrying...

Am I paranoid enough?

Given that historically such entities appear to have been more interested in commercial spying and chasing people with politically incorrect viewpoints, as opposed to catching organised crime and terrorists. There's a good case for asking if any degree of paranoid is sufficent. Though it can sometimes look as if those in the "security services" are the most paranoid.

Re:As opposed to the security of PSTN?

[mpe]

He also doesn't want to bother with all that nasty detective work to decide whose phones to tap, he wants to read all the mail and listen to all the phone calls and sort it out later.

Which is rather useless for any kind of law enforcement purpose. Given that the signal/noise ratio is so low. With any terrorist or gangster with 2 brain cells to rub together likely to use a simple code which will render their planning indistinguishable from the general chatter of millions of people.
Law enforcement needs so called "human intelligence", which includes brave people to infiltrate and get out such information such as who's telephone to listen in on, etc.

Personally, I have no problem with this, as long as John Ashcroft's mail and phone calls are all made public so we can play, too.

Why stop with Mr Ashcroft? Maybe every member of government should have all their telephone calls (including those made with their home phone) placed in the public domain. That might improve the bahaviour of some politicans since it would make it harder for them to act hypocritically.

Re:As opposed to the security of PSTN?

[ComputerSlicer23]

Read up on "Man In the Middle" some more. If I can intercept everything that passes thru, and you only send the public key in the clear, I can set things up so you can't tell I'm the man in the middle.

I suppose, that if I encrypt with my private key, then encrypt with your public key. Nobody in the middle can tell what I'm saying. You can know you are talking with someone, but if they can intercept all of the messages, how can you tell them apart from me, if you've never met me or them? They could say the are me, and do what I'd do. With no pre-shared information you can't tell the difference between them and me. What you would know, is that whoever you are actually communicating with it's secure. What you don't know is that you are communicating with who you want to be communicating with. I can demonstrate it for you via the equations if you'd like.

In essense, with no pre-shared information, between Alice and Bob, how can they communicate if Marla can intercept anything they send.

1. Alice sends a public key to Bob (PK[A], Alice has the matching private key pk[A]).
2. Marla captures this, and sends Bob (PK[MA], Marla has the matching private key pk[MA]).
3. At this point, Alice knows nothing about Bob. Marla can respond with to Alice just like Bob would. Alice can't tell the difference between them. Marla sends PK[MB] (Marla has the matching private key pk[MB]) to Alice (who believes it's Bob).
4. Bob responds to Marla (who is masquarading as Alice) with PK[B] (Bob has the matching key pk[B]), which Marla again captures.
5. Marla uses pk[MA] and PK[B] to communicate with Bob. Bob uses PK[MA] and pk[B] to communicate with Marla (whom he believes to be Alice)
6. Marla uses pk[MB] and PK[A] to commuicate with Alice. Alice uses pk[A] and PK[MB] to communicate with Marla (whom she believes to be Bob).

All Alice knows is that she's communicating with the person with the key PK[MB] (who must have pk[MB]), and Bob with PK[MA] (who must have pk[MA]). They know that no one without the associated private keys can read the conversation. Marla now controls the conversation between Alice and Bob. The problem, is that Marla controls the network. That's enough control to subvert public key cryptography.

What Alice doesn't know is that PK[MB] is associated with Marla. They trust the first person who comes along and says they are Bob, to be Bob. At some point, the string of bits has to be associated with Bob, and not with Marla.

What is different about Public Key cryptography instead of Symmetric Key cryptography, is that Bob can tell everyone and their brother his public key, and it's no big deal. So he can publish it in a well known location and that's good. In Symmetric Key, the key must be kept a secret. In public key, you can use the same key pair to communicate with everyone, if you also use their pair in the communication. In symmetric key cryptography that isn't the case.

There is a reason that Versign exists. It's to provide PKI. You really need PKI to make Asymetric Cryptography to work.

With Public Key Cryptography, you can be sure that you are talking with the person who knows the private keys associated with the public keys. However, Public Key Cryptography has no guarantees that who you think has the private keys is who they say they are. At some point, a secure transaction must take place to associate a particular person with a particular key (normally a third party does this, and they are known as a Key/Certificate Authority, think VeriSign. Everyone implicitly trusts the Third Party).

The alternative way to do this, is to build a distributed web of trust. This is what GPG does. Which is "better" from a security standpoint, but very difficult to bootstrap to a point where it's useful.

Kirby

Re:As opposed to the security of PSTN?

[dranga]

Isn't that what telemarketers do?

Security? Not a problem for home users

Just look at how many unsecured wireless networks are out there. And most cordless phone users had no problem speaking of easily listenable frequencies for many years.

PSTN? Secure?

[Heartz]

Whoever said PSTN was secure? All you need to sniff is a wire and the right equipment. And it's easy to do.

Re:PSTN? Secure?

[vrmlknight]

really all you need is a phone handset and a few alligator clips, and that's getting complex..

Re:PSTN? Secure?

[javajawa]

Of course, traditional wire sniffing requires physical access, whereas VoIP sniffing merely requires virtual access.

Re:PSTN? Secure?

[vrmlknight]

Sniffing VoIP traffic still requires some physical access, you need to be able to intercept the packets either be on a router in-between the points or have root'ed a box in between them, or in the case of wireless be physically close to them and have a week or so to crack what ever encryption they are running on the wireless network...

I don't wnat VoIP

I don't want VoIP. Depending on the Internet for all communications (e-mail, IM, and phone) is just a bad idea.

Re:I don't wnat VoIP

[Phekko]

Agreed. That's why there should be Slashdot via carrier pigeons, dammit!

Re:I don't wnat VoIP

what is it, really?
damn it? damnit? dammit?

Re:I don't wnat VoIP

[firstadopter.com]

Why is depending on the internet for communications a bad idea? It's fault tolerant, a lot of back up ways. On the other hand other systems, just go down and you're stuck.

Re:I don't wnat VoIP

Take Slammer. It managed to slow the Internet to a point where it became unusable. It's only a matter of time before more Slammer-like worms come, only instead of targetting desktops they target the Internet itself.

Re:I don't wnat VoIP

[PacoTaco]

With QoS.

Re:I don't wnat VoIP

[gnuman99]

It is the matrix! Run from the matrix!!! Ahhhhh..!!!!!! [SPLAT!] [hits the wall of the well padded room]

It is too bad that Internet goes over the same wires^H^H^H^H^Hfiber that your telephone calls do.

Re:I don't wnat VoIP

[way-kun]

Why is depending on the internet for communications a bad idea? It's fault tolerant, a lot of back up ways. On the other hand other systems, just go down and you're stuck.

Yeah, it's really nice if you're multihomed AS.
I don't remember when was the last time that my phone line failed. As for the internet... three days back (for an hour).

I don't know if this is normal or it's just that .si ISPs tend to suck. I'd like to think that in a critical moment I'll be able to call emergency hotline (eg. 911 for americans) if I ever switch to VoIP.

Re:I don't wnat VoIP

[dissy]

Don't assume IP == Internet

The Internet is just one IP network.
Phone companys have their own networks, they don't need to involve the Internet what so ever if they choose. Same as I don't need to plug my IP network into the Internet for things on my own network to talk to eachother.

Re:I don't wnat VoIP

Right! And that's what is totally ridiculous about the Justice Department's premise of securing the nation by monitoring everything possible.

All a subversive organization has to do is set up a dial-in system anywhere and communicate via some crude encription, and they can by-pass anything that the Justice Department is even thinking about doing.

Either they are stupid as h*ll, or, they are simply trying to reduce individual freedom in this country by using the terror threat as a lever.

Re:I don't wnat VoIP

Either they are stupid as h*ll, or, they are simply trying to reduce individual freedom in this country by using the terror threat as a lever.

Or... Both!

Re:I don't wnat VoIP

[4of12]

I like the idea of a IP packet based network that can route around problems.

Even phone networks are going this way after you get away from the last mile circuits which are much more vulnerable to interruptions of service than packets willing to take whatever route is available.

Assuming the latency can be overcome, of course.

Security isn't the problem.

[danitor]

As usual, Michael's title is misleading.

Security is not holding VOIP back.

Security is just one layer that needs to be implemented, particularly when VOIP becomes more widespread. It has very little to do with adoption- just look at how analog cellphones prospered. We all know how easy those were to listen to.

Re:Security isn't the problem.

[phoneboy]

The title of the news story is the title of the article on Voxilla. If you disagree with the premise of the article, fair enough, but don't attack Michael over it. He wasn't responsible for choosing it -- I was.

-- PhoneBoy

Re:Security isn't the problem.

but don't attack Michael over it

Exactly, much more appropriate to attack him over the fact that he is squatting on the censorware.org domain, using it to further a personal grudge match, rather than giving it back to the Censorware project who are trying to fight Internet censorship.

Obviously Michael's personal feuds are more important than fighting online censorship. Good to know where his priorities lie.

ps. If you are reading this it is probably because Michael hasn't spotted it yet, since in a further act of breathtaking hypocrisy, he is known to use his editor status to censor any attempts to bring the wider /. readership's attention to this shameful act.

Re:Security isn't the problem.

One satisfying result of this is that if you search Google for "Michael Sims" almost all of the results pertaining to him are people criticizing him - I doubt he gets much pleasure from ego-surfing ;)

Re:Security isn't the problem.

[Gortbusters.org]

True that, there's enough good security stuff out there like media encryption (take a look at the H.323 phones from Avaya and Avaya's Communication Manager product), though I think Cisco followed suit and added it. The main problem with adopting voice is that many networks are not setup for voice. Everything from at least a 100MB back bone to VLANs is required to get good quality of service in VOIP, and even then things can happen that require you to tune the network.

Re:Security isn't the problem.

And this guy still has editor status on slashdot becaaaauuuusee....?????

Re:Security isn't the problem.

Stopped me from buying it -

Um Mr Cisco what 100K and not even secure on the same network as peoples workstations...how about video on those expensive sip phones.. no huh? Reliable all logging? No huh?

Whats the advantage

- well it runs on the same network - but to make calls over pots you need this proprietary gateway equipment here (same price as a phone switch)

- free branch to branch calls (but you need to increase your WAN pipe at both ends so > Total cost pipe+vpn+config+maintenance than the phone charges)

erm same features >= cost = no thanks I'll wait...

Landline isn't technically secure either.

Nobody said landlines were particularly secure either. Anyone can tap a phone line or phone box for that matter and listen in on your conversations. There's few encrypted landlines around. It's also easy to listen in on cellular or wireless handsets with relatively inexpensive equipment. So for security, neither are very. If you want security you need fiber optic (VoIP or not) that measures light passing through the fiber and can detect if some of it is being diverted to listen in. Only the military and the Illuminati needs something like that.

What landlines ARE, though, are more reliable. I don't want to have my VoIP phone crash on me or have packet loss when I'm trying to call 911 because of a heart attack. You don't get two chances at that to call again, reboot, or whatever.

Re:Landline isn't technically secure either.

[desolderthis]

"If you want security you need fiber optic (VoIP or not) that measures light passing through the fiber and can detect if some of it is being diverted to listen in."

What? Perhaps you could elaborate on what exactly you mean by light being diverted. But if it were me, I would break the transmission line, and insert a circuit between the lines. Then I would simply use some device to duplicate the incomming wave. Then the person who I am spying on sees no difference in the information he receives. To initially install this circuit, I would probably force a power outtage, or some other incident to divert their attention from the fiber optic connection.

I see it like this

[barenaked]

Today's Firewalls dynamically open and close multiple ports as required by VoIP signaling protocols such as SIP, they remain ineffective in securely supporting unsolicited incoming connections. NAT prevents two way voice and multimedia communication, because the private addresses and ports inserted by the client devices (SIP phones, video conferencing etc.) in the packet payload are unable to be routed in public networks. Therefore, incoming calls that are in any service intended to replace the PSTN just are not possible with todays existing NAT/Firewalls.

Re:I see it like this

[NTmatter]

I'd say the problem isn't really the NAT/Firewalls - it's just the NAT that's a hindrance to bidirectional communication. It's simply impossible to create a connection to something behind a NAT box when you only have one IP to work with.

The best analogy to work with would be calling a large department store, wanting to talk to the clothing department, but being confronted by a receptionist or an automated machine telling you to "Enter the extension of the department you would like to dial." This is sadly impossible in the context of VoIP without having a server on the NAT box, or a hack in the NAT's rules that is capable of inquiring which "extension" to forward the call to. While this is plausible, it also raises the problem of exactly how to standardize the process. Too many people have an interest in VoIP for any sort of final standard to be released.

The only practical solution, in this case, (at least from a networking standpoint) is to eliminate NAT altogether. Fortunately, such a solution already exists. Its name is IPv6. If everyone can have their own globally routable IP address (and thus a globally unique iPhone#), then there would be no compelling need for NAT outside of obscure load-balancing setups.

Sadly, the switch to IPv6 brings its own set of problems. Namely, the Telcos and government, who have been fighting for the taxation of the internet and internet telephony services, or at least their providers. IPv6 + VoIP will eat into the profits of Telcos once they start becoming widespread. Why pay a perfectly reasonable 10 cents a minute for long distance, when you can pay $30/month (or however much internet access costs you) for unlimited calls to anywhere in the world.

As for roaming, there's no real problem in having a bit of software on your VoIP box that forwards your calls to a VoIP mobile phone sitting on some wireless network out at the office, as long as there's a way to let the VoIP box know the correct IP to transparently route calls to. Think of it as call forwarding for networks.

So, there's no real problem with the replacement of PSTN, aside from the IPv6 transition, whose problems have already been beaten to death on Slashdot in the past. If only we could get corporations to just shut up and die when they become obsolete for the greater public good, life would be so much easier, wouldn't it?

DISCLAIMER: The author will not be held responsible for any negative aftereffects that may or may not result from the usage of this opinion as fact.

Re:I see it like this

[Tmack]

NAT is only an issue if you do not own/control the thing doing NAT. If you can control the NAT device, you can set the ports required for whatever service to be forwarded to an internal device. If you have more than one device internal that needs said service, then you should get more IP's and not use NAT. Alot of Apps are now written to take NAT into account (ie: all Instant messengers), and by using a central server to initiate an outbound connection, can allow many of the same App to work with only one public IP address. As this relates to VoIP, it depends entirely on the implementation, but 99% of the time is no issue what so ever.

The issue of NAT becomes null when the terminating VoIP device on the customer's end is the gateway router that de-VoIPify's the voice traffic back to POTS lines or CAS/PRI(ISDN) style digital trunks(look up Cisco IAD 2430), while taking care of the LAN's NAT and other data traffic as well. Granted this one is aimed more at companies that have multiple internal lines connected to a PBX, but is also the model being implemented by several other providers as well with smaller routers and DSL. It also proves VoIP is not limited to the assumed stereotype of Vonage style VoInternet for a single line. One of the advantages of VoIP is that you do not need 1 IP address per Line/TN. The routing is done by IP, meaning 1 or 100000 TN's can be mapped to terminate at any single IP address. The only time NAT would be an issue at all is if you are trying to implement VoInternet and your ISP gives you only a NAT'd IP address. If you want to use multiple VoIP phones at a location where the LAN sits behind a NAT box, you route all VoIP traffic to a VoIP gateway/PBX from that NAT box, then from the VoIP Gateway/PBX you route the calls internally based on whatever you want, thats what PBX's are specifically for.

Your post also makes the mistake that it seems the whole /. crowd has made toward VoIP, in assuming VoIP==VoINTERNET. There are CLECs out there already using 100% VoIP comunications, on their own internal networks. The difference is the CLEC becomes both your Telco provider and ISP while providing security and reliability (voice traffic does not leave the CLEC network to travel the "wild" internet, and therefore cannot be sniffed/comprimised without first comprimising the LECs internal network). As an employee of such a company, I have first hand knowledge of how it works. Voice traffic is routed completely seperate from data, and on a "private" IP subnet that wont route out of the LECs cloud.

Tm

Marketing and Brand

[firstadopter.com]

I think the main thing holding VOIP back is the Baby Bells, who have a lot to lose if they keep pushing it. SO it's up to the startups like Vonage to publicize the benefits and the low cost. Unfortunately that will take a LONG time as people just don't know about it.

Re:Marketing and Brand

[phoneboy]

I think the Baby Bells have a lot to gain if they start implementing VoIP instead of burying their head in the sand and trying to fight it.

-- PhoneBoy

Re:Marketing and Brand

[Deliveranc3]

Napster didn't need marketting. The product isn't ready for mass market, when I build a house I still have to install old phone lines. That's crap, it's just not ready yet. Backwards compatability is one of the major problems and the other is ease of use.

Despite this I think they are fairly standardized now and the quality is excellent.

If someone offered a service which would patch the data from a phone # to an I.P. then I'd use it in a second.

Re:Marketing and Brand

Pretty much all of the bells are offering Hosted IP / IP centrex systems today, what are you talking about?

secure?

[loraksus]

like PSTN 2 aligator clips and a regular handset secure?
Hell, when I *ahem* hung around people who beiged boxed we didn't even have aligator clips. Holding onto the wires was cool until a the phone rang ;)

insecure network - insecure services

[UnderAttack]

regular phone service is secure (and does not need encryption) since the network it is using is considered secure. Climping up on phone poles is not only a lot of work, but gets you easily arrested as well.

On the internet on the other hand, you can take your pick of about 500k ready to use backdoored hosts at any day. Just pick one close enough to your target. If you are desperate, buy one of the routers in the path on IRC for a few stolen CC numbers.

What we need is a simple and fast encryption method for VoIP. Similar to the phone network, it doesn't have to be 'Fed prove'. This may make it possible to come up with something simple that will not cause excessive latency.

Of course, one issue with VoIP is that its kind of stretching the limits of current infrastructure. So any added overhead may break it.

Re:insecure network - insecure services

[alexatrit]

Why climb up the pole at all, when many residential subscriber blocks are mounted on the front of people's homes? Most of these units are unlocked. Merely open the door, insert a splitter from Radio Shack, and off you go.

Re:insecure network - insecure services

[c_g_hills]

What we need is a simple and fast encryption method for VoIP.

IPv6 supports encryption natively. Running voice-over-ip using version 6 is another great reason to make the upgrade.

Re:insecure network - insecure services

[emf]

I would say the opposite, regulare phone service is very unsecure. Tapping your phone line is very easy if you know what you're doing. There are various places between the CO and your phone which can serve as easy locations to tap your line. For example if we lived in the same apartment building and your apartment was directly above mine. Your phone line may actually be running through my unit. It doesn't get any easier than that to tap it.

I've never used VoIP, but I would think that if you and I decided to have a VoIP conversation we could easilly encrypt the communications from each others computers (i.e. IPSec, or some encrypted tunnel if the application won't support it). Our IP traffic will not only be much more difficult to tap than POTS, but even if it is tapped it then becomes very difficult if not impossible to break the encryption.

Re:insecure network - insecure services

[Jameth]

The issue is mostly that you need to physically tap the line. This will, at the least, demonstrate that you are tapping a line. Also, you need to be relatively immediately colocated to tap a phone line.

VoIP can, however, be easily tapped from a distance without and physical evidence.

Re:insecure network - insecure services

[Gortbusters.org]

Take a look at this presentation from Avaya (formerly the part of Lucent / AT&T that did all of the PBX/phones), they now have media encryption.

Re:insecure network - insecure services

[sulli]

it doesn't have to be 'Fed proof'.

Yes it does. Why not build VoIP protocols with built-in strong crypto? They did it with PGPfone years ago, there's no reason not to do it again.

(of course you can always run standard VoIP over ipsec, but that's just for PC to PC service.)

Re:insecure network - insecure services

[bigberk]

What we need is a simple and fast encryption method for VoIP

I wish I could post more details but I'm holding back because of potential patent issues. Anyway, my colleagues and I have implemented an entirely peer to peer VoIP system that uses Blowfish with its maximum 448 bit keys. It works great, and modern PCs have enough processing power to handle it.

Crappy service is holding VOIP back

[bhny]

I've had a ridiculous number of problems with Vonage, never any worries about security.

Re:Crappy service is holding VOIP back

[dr3vil]

Really? I've been using Vonage quite happily for over a year now. Great quality, uptime, service. Althpugh I haven't ditched Ma Bell yet (she provides my DSL service, and my grandfathered-in static ip address would be sorely missed).

Re:Crappy service is holding VOIP back

[azuretek]

I've been using vonage for about a year and I havent had hardly any problems (no more than I did with a regular land line)

I ditched my land line about 2 months after I got my vonage, I haven't looked back since. I moved accross country and I brought it along and still no problems. I'd bet alot of the problems people have had are on their own end and their cable company (my company told me they didn't have to support any service as long as I could view web pages)

Theres a few things I don't like about viop

[headbulb]

First and this one goes for cell phones too.

With most voip app's they just shutoff the microphone when the person isn't talking. This produces an weird silence. Cell phones have to do the same thing to conserver power but what they do is, Place confort noise. This keeps the person thinking that the call is still going. (This is what really turns me off about VOIP)

Another beef I have with voip.. NOthing seems to be standerdised. One voip app does not work with another.

I just think its not the correct way of going about creating a network that is designed to be directly connected. The network that pstn is based on has a niche. Where else are you doing to get a virtual connection without having to bury your own lines to every office. (forgot the terms at moment)

It's extremly hard to talk to someone when A. You have a delay. B. You have missing packets that interupt the signal, Thus you get dropouts.

Now I do like voip in games.. That confort noise I was talking about, Is now takin over by the sound the game makes, and so the silence inbetween isn't so weird.

I have heard about sprint doing voip networks with their own network to get around the ping/packetloss/QOS that is not a garantee on public networks. But I view it as if They want to have a packet based voice network they need to design it from the groundup to just work instead of just layering it ontop of IP. They then need to submit this to the standerd association, So that phone companys don't have to convert/recompress and signal with eath in and out on the network. Otherwords a more lossless operation.

Well thats my beef.

Re:Theres a few things I don't like about viop

Another beef I have with voip.. NOthing seems to be standerdised. One voip app does not work with another.

Welcome to the world of VoIP with SIP, where all the building blocks to build the services are standardized (for some value of standardized), but the services themselves are not -- they are left up to the intelligent endpoints (for some definition of intelligent) to work out, if they can.

Re:Theres a few things I don't like about viop

With most voip app's they just shutoff the microphone when the person isn't talking. This produces an weird silence. Cell phones have to do the same thing to conserver power but what they do is, Place confort noise. This keeps the person thinking that the call is still going. (This is what really turns me off about VOIP)

There is possibility of a silence noise generation in some VoIP codecs - check your device features first! Moreover, VoIP can use GSM cellphone codec too and be absolutely transparent.

Re:Theres a few things I don't like about viop

[bcrowell]

It sounds like your information is out of date.

With most voip app's they just shutoff the microphone when the person isn't talking. This produces an weird silence.
I use Vonage now, and what you're describing doesn't happen.

Another beef I have with voip.. NOthing seems to be standerdised. One voip app does not work with another.
I don't know anyone who uses PC software for internet telephony these days. The companies they're talking about in the article sell you a black box that you plug a regular phone into. No computer needed.

Re:Theres a few things I don't like about viop

[Effugas]

headbulb--

Comfort noise is missing on less advanced VoIP implementations.

Here's a link to the RFC that specifically describes how to send packets with comfort noise. Note that there's actually some work done to make sure the noise matches the spectral shape of what should actually be there. This prevents the noise from seeming "unusual" the the listener (i.e. it's not just random fuzz):

RFC3389.

In terms of conversion and recompression, G.711 -- the "high bandwidth" version of VoIP, at around 64kbit per direction -- isn't even converted when it's passed to the PSTN network. It's only the higher levels of compression -- G.729, G.723 -- that need to be transformed at the proxy. And it turns out most of the failures happen one hop up from the DSL/Cable modem, because there's a huge amount of bandwidth coming in and relatively little to each endpoint. Something needs to be done about this, but it's not entirely clear what. Designing from the ground up -- yeah, we did that with the PSTN, and it's great, but there's so many legacy taxes that people are going to IP just to avoid regs written before the new tech was born.

That's the story.

--Dan

Which way are we going?

[amigoro]

On the one hand, we want to use IP for our voice communications. On the other, we want to use our mobile phone for surfing the web (and installing Linux but that's another story).

So which way are we headed?

It's quite ironic that the internet spread as rapidly as it did because people were able to use internet over dialup, and today, the discussion is about how to replace the existing PSTN architecture with VoIP.

However, I think sooner, or later, people will make ALL there phone calls using internet enabled mobile phones. So what protocol are they going to use? Or is it going to be a mix of protocols, say, if a Canadian were to talk to a friend in Australia?

Re:Which way are we going?

[metalslinger]

Honestly there were 2 things that made the internet grow so fast:

the proliferation of phone lines
the low cost of modems; and it really boomed when they're was a proliferation of preinstalled modems

Standards based wireless ISP's, using mesh networking, will make this happen again. Think of all the computers coming standard with an 802.11b/g card. Now think of meshes spanning the nation.

End of story.

Security... sort of

[mental_telepathy]

one interesting (related) note, is that security is holding back voice over wireless. Not directly because of security concerns, but because of speed. The time to authenticate from AP to AP is causing QOS issues with the voice communications.

The question is.....

[invisik]

..is the internet ready for the mass migration from PSTN?

With all the lag and overloading on the internet, is it really ready to handle a jillion voice streams running over it with the expectation of quality and reliability of PSTN?

As a geek type, I'd love to see it come together to widescale use. But as a business type, it seems to unreliable for official use yet. Most businesses can tolerate their internet connection being down for a period of time, but I don't know any business who can tolerate a phone outage short of sending everyone home.

-m

Re:The question is.....

[bcrowell]

..is the internet ready for the mass migration from PSTN?

With all the lag and overloading on the internet, is it really ready to handle a jillion voice streams running over it with the expectation of quality and reliability of PSTN?

When you make a long distance call, you probably visualize it going through copper wire to the local telco, and then crossing the continent as an analog signal on fiber optic cables. Actually, the chances are very good that at some point in its journey, your signal is passing through the internet. Phone service and the internet are technologies that have really already converged. Long distance providers and internet backbone providers all sell each other bandwidth as needed. When people refer to "VOIP" or "internet telephony," it's really a misleading use of the terminology, because Grandma in Omaha probably uses VOIP without knowing it every time she makes a long distance call through Sprint.

Re:The question is.....

[invisik]

Actually, I have quite a bit of experience with international long distance. Have you ever made a international call to Africa? There's about a 5-10 second lag from when you talk to when they actually hear it. Interrupting someone is impossible. Calls to France and England are usually lag-free, however. I know this stuff goes over the internet. It's downright awful.

So I still bring it back to the original question, if we added a couple million VOIP phones I can't believe the current internet would be able to handle it properly.

Who's to assure if I got a VOIP phone for my business that I can reliably call all the places I need to when I need to? Do we need SLA's for our telephones?

-m

the problem is not VOIP phone

The problem is most of us still can't get DSL or cable to our home even if we're in silly con valley.

Infrastructure not security is holding it back

[jobugeek]

The whole point of VOIP is not having two separate lines. But when we looked at doing at our company, the undertaking to prepare the data network(upgrading cabling, tweaking or turning on QOS on routers, etc) it became more work than what VOIP was advertised to solved.

And truthfully, many companies I talked to who converted to it haven't been all that thrilled with the results so far. It's either been flaky or was so expensive that it didn't justice the cost.

Re:Infrastructure not security is holding it back

[gnu-generation-one]

"And truthfully, many companies I talked to who converted to it haven't been all that thrilled with the results so far."

Like dropping phone calls when the network gets busy? Too right it's not a good result. And try debugging phone problems when they're being caused by someone running a game on the network with intermittant IP traffic.

PGP Phone

[hikerhat]

Too bad PGP phone never took off.

Re:PGP Phone

[Sinus0idal]

Try the free client at www.skype.com. Implements end to end encryption... I've found it works well.

Bull!

voip -- blowfish -- { internet } -- blowfish -- voip
Someone implement a cheap box that lets you plug a normal phone into your PC with that, and VOIP will take off and the telco's will become extinct
I've been saying this for 3 years now!

Re:Bull!

[ShallowThroat]

but who will think of the poor telcos!? Just letting them die after all their fair buisness methods!?

Re:Bull!

[unclefungus]

let me say I do see the sarcasm in your post, but seriously, any buisness that wants to survive has to learn to adapt. if the telcos don't adapt they will die. maybe, since they already have most the voip, internet backbones, and major connectoins they should provide a voip phone service to go with your new DSL line. my cable modem company is trying to get me to buy into it, but they cost to much. :)

No.

Is VoIP secure enough to replace the PSTN as we know it?

No.

Thanks to the acceptance of less than end to end secure encryption similar to ssh or ssl, and thanks to Voip providers willingly/being forced to provide snooping access thanks to their man-in-the-middle position, this will end the requirements for a judge to oversee and ensure snooping is justified in a small number of cases, and open everything up to massive snooping, and massive insecurity.

There is no judicial oversight for cordless phones. Why? Because in the words of past court decisions, when using a cordless phone, it is not secure (whatever your beliefs) as an end-to-end switched telephone call. Others can eavesdrop, and so can the government.

You accept using VOIP without end-to-end ssh/ssl/whatever security? Then you can't demand privacy and judicial oversight over snooping requests.

And you open up all telephone calls everywhere to being snooped on by not only the government, but anyone with the computing power and knowledge to snoop packets/save packets/grep packets. As computing power goes up, it gets easier to set grep cron jobs for key words when you go to bed, and then wake up ready to really go to work in the morning.

I'm no computer expert. Just a Monday morning half back. So maybe the experts can answer why I can't plug a VOIP phone into my network switch, and call up Cowboy Neal on his VOIP phone on his network switch, and we can talk with an ssl or ssh connecton bypassing Vonage and Ma Bell altogether.

Why isn't there an effort on Sourceforge (is there?) to enable this? Why are we letting Ma Bell continue to control our conversations when we have broadband connections and the equivalent of supercomputers from just a few years ago sitting on our desktops?

Anyone?

Re:Security? Not a problem for home users

[ArielMT]

So the guys over at WarChalking aren't wasting their time after all? It's a good thing I don't give out my email address or order things by credit card except with my cordless non-Interweb-emabled phone. Ah goody, Microsoft really does care about my computer's security, because they just sent me another patch as an attachment to one of their spiffy emails. Excuse me while I go run the patch... stupid antivirus warnings...

*snicker* Since when did security hold any technology back?

"There's a sucker born every minute." In the grander scheme of things, that's so true.

Why do we even need VoIP though?

[nial-in-a-box]

• It doesn't really do anything that is currently needed.
• It is more complicated than it needs to be.
• Cell phones accomplish the exact same thing for the same cost and at a sadly higher reliability level.
• It's going to be regulated as hell sooner or later.
• It's not a satisfactory long-term solution.

What annoys me the most is that cell phones still are not treated as "normal" phones by the key places where it matters, such as credit cards, etc. If I pay a monthly bill on a cell phone, and I need a positive credit rating to even get that service plan in the first place, why is that not good enough to establish credit? It annoys me that even though it seems like something that has been overlooked, it also looks like we're just giving extra business to land-line providers. I have no need for such a telephone line, but I will probably have to get one the next time I move as it still is a requirement for many things.

Re:Why do we even need VoIP though?

[bcrowell]

It doesn't really do anything that is currently needed.
For us, it was simply cheaper than paying for telco service in our house.

It is more complicated than it needs to be.
Huh? They shipped us a black box that plugs into our cable modem. You plug a phone into the black box. There was no configuration to do. You don't need a computer.

Cell phones accomplish the exact same thing for the same cost and at a sadly higher reliability level.
We now have a cell phone and a Vonage line, and no telco service. The Vonage service is cheaper and more reliable than the cell service, and the quality is better. YMMV.

It's going to be regulated as hell sooner or later.
Or maybe not.

It's not a satisfactory long-term solution.
Because...?

Re:Why do we even need VoIP though?

[psoriac]

I have no need for such a telephone line, but I will probably have to get one the next time I move as it still is a requirement for many things.

Can you name one of those things? I have been 100% cellular for the past 4 years, since I left college. In that time, I have:

-gotten a job
-gotten credit cards - visa, amex, discover
-moved to a different state
-opened a checking account at BoA
-received a new drivers license
-purchased a car
-purchased insurance
-purchased a house
-connected the various water/power/gas utilities
-opened an active account at Schwab
-subscribed to cable television and modem service
-taken classes part time at a local university

Not once has the fact that my contact number is a cell phone been a problem for me.

Re:Why do we even need VoIP though?

[cfulmer]

So, there are really two sides to the question:

(1) What does VoIP offer to telecommunications providers?

(2) What does VoIP offer to end users?

The answer to (1) is basically that it's cheaper to run one network than two. With VoIP (or VoATM or any voice-over-packet technology), companies that want to offer both voice and data service really only need the network intrastructure for the data service. The amount of data transmitted on commercial networks surpassed the amount of voice transmitted in the last 1990s, and has been growing at a much faster rate since then. Voice is rapidly becoming a blip in the whole landscape. At the same time, data networking equipment is a lot cheaper than voice equipment.

Voice, however, is still where most of the revenue is. So, the solution has been to use voice to provide the revenue to build the data networks, and just carry the voice over the data networks.

The answer to (2) depends on how integrated you want your telecommunications to be. You can do things like forward voice-mail in an e-mail and so on. In addition, there is a price advantage -- long-distance over VoIP is 10-50% the price of the same thing over TDM.

If you want to see complicated, check out a telephone switch. The DMS-100, a popular switch, has more lines of code than the space shuttle.

VoIP is the long-term solution. You may have analog phones in your house for a long time, but once it gets out of your neighborhood, it'll be Voice over Packet behind your back.

Incidently, one thing that Cell Phones still don't universally do is provide location information to the 911 people when you call them.

--
C

Re:Why do we even need VoIP though?

[devilspgd]

When they ask "what's your (home) phone number?" do you give your cell phone, or start off with some "I don't have a phone, but umm... well... uhhh... I have a cell phone if you want it" crap?

I go back and forth about having a landline, but I only ever give out my cell. When I have a landline, the number forwards to my landline when the cell is off. When I don't, I leave the cell on all the time.

In my experience, if you just give your cell phone number like you would give your home number on application forms, and when people ask, you won't run into any problems. If you tell people you don't have a landline, they get weirded out.

Re:Why do we even need VoIP though?

[psoriac]

I've always made it very clear that the number was a cell phone number, in case there are ever any legal issues that may arise because of it.

Sometimes they ask if I have a home phone, to which I reply "no" and that hasn't ever been a problem.

Um

[headbulb]

You try getting a trunk that has SS7. Oh wait you can't.

You say that you the pstn is insecure.. Have you tried lately to 'hack' into one, well besides being able to listen to whats on a analog line. Tell me how a cellphone is insecure (They have encryption and cdma is pretty secure by itself.), or how a isdn line is insecure.. Those are circuit based networks. (well cellphones are a hybrid)

Tell me how would you go about overhearing a circuit in this circuit based network? You can't. The fbi can, But that hardly makes it insecure. Circuit based networks by their very nature are actually highly secure networks. The only person you really have to worry about is the one in control of the line, if you dont' trust them you go with someone else and use encryption..

Now packet based networks are the ones you really should be worried about. Anyone that is on your network segment can sniff your packets. Now if they are encrypted or not is really kinda beside the point.

The modern ptsn network has out of band signaling (ss7) So you can't do alot of the attacks that the old phone networks were vurnable to. LIke playing your own tones (inband signaling.) So tell me again why a circuit based network out of band signaling is insecure?. (oh you can't get into the out of band signalling other then to dial and thats with isdn which uses isup for its out of band. Which is really limited and firewalled {for lack of a better term at the moment} the switch)

Re:Um

[noselasd]

>You say that you the pstn is insecure.. Have you tried lately to
>'hack' into one, well besides being able to listen to whats on a

Yes I have, it's rather hard, but finding the right cable, and
using the right software/hardware it's doable.

>analog line. Tell me how a cellphone is insecure (They have
>encryption and cdma is pretty secure by itself.), or how a isdn line
>is insecure.. Those are circuit based networks. (well cellphones are
>a hybrid)

True, but thats often just from the cellphone up to the antenna.(or sometimes a bit further..).
Once the voice is on cables, it's "decrypted"(not always though, but very common.

>Tell me how would you go about overhearing a circuit in this circuit
>based network? You can't. The fbi can, But that hardly makes it

You dig up a cable, its often 2mbit coax cables or fibre. You hook
on a splitter to get the signals. Feed them to a hardware card
on your PC, pick up an appropriate timeslot there, pass it throug a
decoder(e.g. G.711) and onto your soundcard.
I do this for work.. well not so much digging up cables, but making
software that can simulate e.g. a SS7 switch. It could among other things do the above.

>insecure. Circuit based networks by their very nature are actually
>highly secure networks. The only person you really have to worry
>about is the one in control of the line, if you dont' trust them you
>go with someone else and use encryption..

Its only secure cause its rather hard for the common man to do it.

Re:Um

[Gortbusters.org]

The FBI can because telecomm equipment vendors are required to keep that functionality in.

Re:Um

[Hast]

Tell me how a cellphone is insecure (They have encryption and cdma is pretty secure by itself.)

GSM phones are very insecure. A lecturer I had in cryptography had implemented a code breaker for GSM phones. Given 4 minutes of recorded conversation you could break the encryption on that particular call. If you place a recorder by a specific GSM base station you can break all calls routed by that cell in just a few seconds. (That requires about a 100 GB or recorded data though.)

Besides, current phone networks only authenticate the phone, the phone newer authenticates the base station. Get yourself your own station, place it in a van outside a company and you now control all mobile phone calls going through there.

If you have the resources you could in some cases reprogram the cell phones over the mobile network to make them "mobile microphones".

These last two would require a lot of resources naturally. But it's not impossible.

Re:Um

[duffbeer703]

During the cold war, american divers successfully spliced a Soviet military telephone line deep under the white sea.

They then proceeded to record every call that took place over that line.

Today, organized crime in Las Vegas reroute calls away from escort and massage services that refuse to pay protection money.

The telephone network is obscure and complex... but hardly secure.

Re:Um

[airsy]

(oh you can't get into the out of band signalling other then to dial

Dialing a phone is in-band. Touchtone travels in the same band as your voice. It's up to the Class 5 to detect those digits and set up a call digitally.

and thats with isdn which uses isup for its out of band.

ISDN uses Q.931 for call control, not ISUP.

Re:Um

[mpe]

You try getting a trunk that has SS7. Oh wait you can't.

Gets a lot easier if you are a PTO though.

Tell me how would you go about overhearing a circuit in this circuit based network? You can't. The fbi can,

Whilst it's not easy for a private individual to do this. It is possible for entities which have enough money get access. Through bribing the phone company, law enforcement or someone who has access to the relevent software. Remember that computers are stupid, if someone feeds one the right instructions it isn't going to say "hey I need to see a warrent before I can do that."

Circuit based networks by their very nature are actually highly secure networks.

They are secure against certain attacks, not others.

The only person you really have to worry about is the one in control of the line,

Which may include law enforcement, the telephone company, whoever wrote the software and whoever might have access to alter the software.

if you dont' trust them you go with someone else and use encryption..

In many parts of the world there is no "someone else", there being a local monopoly on the "local loop". Carrier Pre-Selection might change who issues the bill, but it dosn't change the hardware your phone is connected to in any way you can verify.

Re:Um

[mpe]

GSM phones are very insecure. A lecturer I had in cryptography had implemented a code breaker for GSM phones. Given 4 minutes of recorded conversation you could break the encryption on that particular call. If you place a recorder by a specific GSM base station you can break all calls routed by that cell in just a few seconds.

Also the encryption only applies between handset and the basestation. Even if you have a call between two handsets on the same basestation the encryption is not end to end. In actual fact the call may well be "tromboning" several hundred miles. Since the base station probably dosn't have the ability to connect the call internally or generate the the billing data.

These last two would require a lot of resources naturally. But it's not impossible.

Resources can be stolen, people can be bribed/blackmailed for information. Depending on the purpose of intercepting the calls a criminal gang, commercial corporation, national government, etc could consider the expense "worth it".

Re:Um

[mpe]

The FBI can because telecomm equipment vendors are required to keep that functionality in.

How can they ensure that only the FBI can use those facilities? How have they taught a computer to verify it a valid warrent exists? Do they pay their programmers a lot and provide them (and their families) with 24 armed guards?

Re:Um

[Gortbusters.org]

Well, they can't... hence why telecomm has other things about user records for privacy laws in Europe

It's not security, it's quality

[Linegod]

Spend some time using VOIP and you'll want to poke yourself in the eye. And that's on an internal network with QoS. You can put up with a delay on your mail, web, ftp, etc, or even jitter on video, but when audio starts to fart and burp, you'll go mad (MAD I SAY).

And with the cost of long distance nowadays, why would you want to drive the cost of your Internet access up by overloading the network with traffic that is doing perfectly well on it's current medium? I guess it comes back to the question of 'What are you trying to fix anyway?'

Re:It's not security, it's quality

[Gortbusters.org]

I disagree. I have an IP phone at work, and it's great, I see little or no difference from my old circuit switched phone.

What brand of phone do you use? I have heard that earlier Cisco phones weren't so great.

Re:It's not security, it's quality

[Linegod]

The current sets are Cisco, but the Nortel sets where about the same. 90% of the time they are OK, but when you are conferencing, or in hand-free, it starts to go downhill quick.

Re:It's not security, it's quality

[Gortbusters.org]

Check out Avaya (formerly part of Lucent/AT&T), that's what we have at work and it's been great.

Re:It's not security, it's quality

I agree 100% with this statement. We have Cisco as a client, (we are a law firm) and they use VOIP pretty much exclusively and it's truly embarrassing to them (and us) to deal with it and hold conference calls and have interruptions 2, sometimes 3 times in a meeting spanning an hour.

It's not only quality, it's reliability. TCP/IP networks have nowhere near the reliability of PSTN networks, and won't for many, many years.

security and voip deployment

[fat32]

IP Telephony allows the terms "Phreaker" and "Hacker" to come closer then ever before because of the convergence between telephony and IP. The security threat associated with IP Telephony is far greater than with regular telephone networks. It is combined from a number of different factors that needs to be evaluated before any deployment of IP Telephony.

PSTN Security ?

[noselasd]

I'm somewhat wondering at which level they need security..
If you want VoIP over the Internet, you defintly need to care about security.

Then again if an operator wants to do this over the internet, there are alot other things than security to think of
as well,(e.g how goddamn unreliable the internet can be.. packet loss, long unpredictable delays , etc.)

Now, many are already doing VoIP, but at a complete diffrent layer.
They replace their internal core switching network with IP networks.
Networks ofcourse nowhere near the internet, only as their internal bearer of signalling and in some cases the voice
as well.
Readers can go through the RFCs for the Sigtran stack for more info. Some are considering SIP/SIP-T as well.
The issue they face are not security, but maturity. Protocols and implementations are not that ready.
In this scenario noone talks about security, its the same as in the "old" telco network, phyisically security.

Which btw. isn't that secure. I can very well dig up an 2mbit SS7 cable, hook e.g. our SS7
simulator(www.utelsystems.com) onto it, and call for free, or cause lots of trouble for the switches..

A pet peeve: unencrypted cordless phones

[WoTG]

It bugs me that the vast majority of cordless phones for sale and purchased are unencrypted mini-radios.

Digital Spread Spectrum phones provide a reasonable amount of security, certainly orders of magnitude better than 'regular' cordless phones. DSS phones have been around for years, but for the sake of a few bucks and a lack of product knowledge, way too many people buy the $49.99 special at Walmart.

One of these day's I should buy or modify something to pickup analog signals so that I can scare/shock my friends/relatives/customers into buying better phones...

Re:A pet peeve: unencrypted cordless phones

When I was a kid, I would use my dad's police scanner to listen to cordless phones.

Re:A pet peeve: unencrypted cordless phones

[devilspgd]

I have an unencrypted cordless phone kicking around, and I don't think twice about using it.

Why?

Frankly, my conversations are too boring for anyone to care, and if they really wanted to listen in, they'd go into my backyard with a little battery powered radio transmitter and install it onto the telephone patch panel outside.

That being said, most of my conversations are on my desk phone, but that's more out of convinience then security concern.

Do I give out my credit card over the phone? I can't remember the last time I did, I buy stuff on the net. However, if I did give it out, I wouldn't worry about it. If you want credit card numbers, you'll have better luck getting a minimum wage retail job for two weeks and copying the receipts then to listen aimlessly to cordless phone calls until somebody gives out a credit card number.

Would I read out my SIN (SSN, for the American readers)? No. That one is need to know, and anybody that needs to know will meet me in person.

Luckily I'm old fashioned

I grew up (long time ago) in an environment where phone and postal services were sporadic, I also lived for 2 years in an apartment with no phone, and backpacked for months with little access to phones and mail. So I'm used to losing my communication lines periodically. I don't freak out if I don't have a phone.

For the past year, I've had no landline, I have a a cable modem and cheapo voip (and an even cheaper pager). Around here, the cable modem goes out quite rarely so internet's usually not a problem. But the voip doesn't work half the time, and I don't care: it works the other half of the time. At worst, there's the pay phone around the block, or the neighbor's phone/voip.

You ask, what about 911, what about disasters? When there is a major problem and the power and the internet's out, the neighborhood gets together and helps out, no sweat (they can call for me, drive me to get help, etc). That's not even remotely a problem (although I have called the police through voip before).

So yeah, luckily I grew up so far in the past I'm not afraid to use modern technology. :=P

But...why ?

[veg]

Why replace PSTN, that uses proven, stable technology, with another technology designed for something completely different.
OK, within an organisaion it makes sense if you have CAT 5 going to everyone's office already, and you have assured bandwidth in your network infrastructure, it can, and does, work. But over the Internet ? Forget it.

ATM is such a good networking medium for the phone. It was designed to allow QoS and pacing, and is therefore perfect at multiplexing audio and video. That's why the packets all hold 48 bytes!

IP was NOT! When you've got VoIP, the web, Real, P2P, pr0n etc etc etc all competing for the same bandwidth, you really start to see why telephones have no business on the internet.

The only reason there is a national/international VoIP industry is cost. If VoIP really does become a serious threat to telephone companies, all they need to do is drop the cost (for a while) and the VoIP businesses drown.

Security ? Whoever wrote that article clearly doesn't understand what telephone networks are.

Not lack of security

[mobileone]

Security is just one of the issues why VoIP has not caught on as an end user technology:

Pricing People think that VoIP is cheap compared to normal telephony. Average people spend around USD 200 per year on land line telephony. While VoIP might seam "free" you still have to pay around USD 300 for an ADSL connection.

Device type While it is technically feasible to install a VoIP client on a PC, it is not exactly the ideal device for a telephone. Also - remember that people usually have several phones in the house. To overcome this you would need VoIP "telephones" which look like a normal telephone. These are reletive expensive compared to normal phones, and requires a dedicated power supply.

Incoming calls In order to receive incoming calls you need to have you VoIP device turned on all the time and connected to the Internet.

Availability A normal landline telephone is usually available 99.98 % of the time. If your ADSL reaches 99.7% you should consider yourself lucky. Furthermore normal phones work during power outages. In some countries this is a regulatory requirement for emergency services.

Billing It would be nice if it was possible to make "free" VoIP calls. In most of the world however, it is the calling party who pays for the call. This means that a VoIP call terminated at a Spanish GSM phone will be charged backwards: The spanish GSM operator charges the VoIP "operator" for "terminating" the call, and the VoIP operator subsequently charges the VoIP "customer". The world has more than 1 billion GSM subscribers. In order to be able to call these you need the billing infrastructure in place even for VoIP. This requirement makes VoIP just as expensive to produce as traditional telephony.

Only a land line solution The world is moving voice calls to mobile phones. So far it has not been shown that VoIP is technically or economically feasible on mobile phones?

Quality It is pretty hard to beat the delay characteristics of a normal landline phone! VoIP has severe delay problems on thin access lines such as ADSL. Usually OK for 2Mb/s and up.

After all VoIP is only a matter of changing layer 3 and 4 in the protocol stack. Why would end customers care?

The places where VoIP is used today it is mostly invisible to the end-user: It is used as a cost cutting technology by a large number of long distance carriers. The service however is sold as normal "high quality" telephony. It is also used in a corporate setting for branch-to-branch calls as well as for PABX replacements. VoIP also makes a lot of sense sense as computer-telephony-integration in call centers.

The next majer breakthrough for VoIP will be VoADSL. VoIP all the way to the customer premises. The interface to the customer however will be a normal POTS jack, full customer service and the associated billing!

Re:Not lack of security

[PoitNarf]

People think that VoIP is cheap compared to normal telephony. Average people spend around USD 200 per year on land line telephony. While VoIP might seam "free" you still have to pay around USD 300 for an ADSL connection.

VoIP services such as Vonage are targeted towards people who already have a broadband connection, so that really isn't a factor for many people.

While it is technically feasible to install a VoIP client on a PC, it is not exactly the ideal device for a telephone. Also - remember that people usually have several phones in the house. To overcome this you would need VoIP "telephones" which look like a normal telephone. These are reletive expensive compared to normal phones, and requires a dedicated power supply.

Devices such as the Cisco ATA-186 and the Motorola VT1000 enable customers to hook their normal phones up to the VoIP device, or hook their home phone wiring directly into the device.

In order to receive incoming calls you need to have you VoIP device turned on all the time and connected to the Internet.

Kind of like what a cable or dsl modem does.

A normal landline telephone is usually available 99.98 % of the time. If your ADSL reaches 99.7% you should consider yourself lucky. Furthermore normal phones work during power outages. In some countries this is a regulatory requirement for emergency services.

Very valid point, however not always the case. During the August 2003 blackout even my normal phone was out. Only my cell phone worked. You can however buy a battery backup for your cable/dsl modem and VoIP device to keep them up and running. As long as your provider has emergency power at their location, you should be covered in that situation.

It would be nice if it was possible to make "free" VoIP calls. In most of the world however, it is the calling party who pays for the call. This means that a VoIP call terminated at a Spanish GSM phone will be charged backwards: The spanish GSM operator charges the VoIP "operator" for "terminating" the call, and the VoIP operator subsequently charges the VoIP "customer". The world has more than 1 billion GSM subscribers. In order to be able to call these you need the billing infrastructure in place even for VoIP. This requirement makes VoIP just as expensive to produce as traditional telephony.

Check out the pricing plans and international rates on the Vonage website. I think you'll see that the costs are a lot lower.

The world is moving voice calls to mobile phones. So far it has not been shown that VoIP is technically or economically feasible on mobile phones?

I'm sure will see wireless internet access much more widespread in the years to come. That's the biggest hurdle for making wireless VoIP phones.

Re:Not lack of security

[bcrowell]

Pricing People think that VoIP is cheap compared to normal telephony. Average people spend around USD 200 per year on land line telephony. While VoIP might seam "free" you still have to pay around USD 300 for an ADSL connection. My family has already paid for broadband access so that we can have fast internet access. Given that decision, VOIP is indeed cheaper than telco service for us.

Device type While it is technically feasible to install a VoIP client on a PC, it is not exactly the ideal device for a telephone. Also - remember that people usually have several phones in the house. To overcome this you would need VoIP "telephones" which look like a normal telephone. These are reletive expensive compared to normal phones, and requires a dedicated power supply.
We have a wireless base station plugged into our Vonage box. In other rooms around the house, we have two other wireless handsets. The total cost was about $120, and it would be an equally practical setup if we had telco service instead of VOIP. Our house doesn't have phone outlets in all the rooms where we'd like them, and let me assure you that pulling cables through the walls and installing connectors would cost a lot more than $120.

Incoming calls In order to receive incoming calls you need to have you VoIP device turned on all the time and connected to the Internet.
To receive phone calls you have to have your phone plugged into the wall. How is this any different?

Quality It is pretty hard to beat the delay characteristics of a normal landline phone!
For us, the quality has been indistinguishable from what we had with telco service.

Re:Not lack of security

[justMichael]

+5 Insightful or -1 Uninformed?

Pricing People think that VoIP is cheap compared to normal telephony. Average people spend around USD 200 per year on land line telephony. While VoIP might seam "free" you still have to pay around USD 300 for an ADSL connection.

If you are only getting a high speed internet connection to use VoIP, you deserve to part with your money. All of the people I know that use VoIP are doing so to avoid ugly long distance bills, if all you use the phone for is local calls to order pizza you really dont need VoIP.

Device type While it is technically feasible to install a VoIP client on a PC, it is not exactly the ideal device for a telephone. Also - remember that people usually have several phones in the house. To overcome this you would need VoIP "telephones" which look like a normal telephone. These are reletive expensive compared to normal phones, and requires a dedicated power supply.

Odd, sitting under my monitor stand and on top of a 5 port switch is this little box that I plug into my switch that I can plug any phone I want to into. Granted crappy phones do not work well, but I DO NOT need a special phone. Some people have actually piped the RJ11 out of their ATA186 into the house line effectively feeding the entire house.

Incoming calls In order to receive incoming calls you need to have you VoIP device turned on all the time and connected to the Internet.

See above.

Billing It would be nice if it was possible to make "free" VoIP calls. In most of the world however, it is the calling party who pays for the call. This means that a VoIP call terminated at a Spanish GSM phone will be charged backwards: The spanish GSM operator charges the VoIP "operator" for "terminating" the call, and the VoIP operator subsequently charges the VoIP "customer". The world has more than 1 billion GSM subscribers. In order to be able to call these you need the billing infrastructure in place even for VoIP. This requirement makes VoIP just as expensive to produce as traditional telephony.

Please follow the links provided in the original Story to the VoIP providers, this is not about using some free software you found on Freshmeat to talk to your friends.

Quality It is pretty hard to beat the delay characteristics of a normal landline phone! VoIP has severe delay problems on thin access lines such as ADSL. Usually OK for 2Mb/s and up.

I can not vouch for other providers, but on Vonage as long as you have ~95k up and no packet loss the quality is fine.

The next majer breakthrough for VoIP will be VoADSL. VoIP all the way to the customer premises. The interface to the customer however will be a normal POTS jack, full customer service and the associated billing!

Again I can not vouch for other providers, but Vonage provides online realtime usage stats, access to your voicemail from any web browser and you can actually call customer service and talk to a human when you have problems.

Sorry if I come of like a ass, but I have seen this same basic comment every time there is a VoIP story on slashdot and most of it is not true.

I have had Vonage service for roughly 2 years and the only time the quality sucked was when I was on Adelphia cable. I switched to DSL and it was fine, I am currently on Comcast/Attbi cable and it is fine.

Re:Not lack of security

[adolf]

Where I work, there's a magical grey box on the wall in the area where all of the telco stuff demarcs.

It's a device from Pairgain, and looks to be NEMA rated and such. It is line-powered at something obscene like 300 volts. I recall that it says something about xDSL on one of its brightly-colored warning labels.

One pair goes into this box from the utility pole; three (loop start POTS) pairs emerge.

It works great. I've got a very little idea what the back-end consists of. AFAIK, the whole kit was supplied free by Ameritech/SBC, as the neighborhood is completely out of spare copper.

VoADSL? Check. Breakthrough? Not by a longshot.

I'll consider it a breakthrough when the POTS loop can be eliminated, and our small-office VOIP-based phone system can talk IP to the local PSTN. Replacing the Pairgain demarc box with a DSL router configuring the switch for h.323 would get there (in a perfect world), but it's just not gonna happen.

Re:Not lack of security

Pricing People think that VoIP is cheap compared to normal telephony. Average people spend around USD 200 per year on land line telephony

I don't know where you are from, but in MA, with no paid features on my phone line and usage of less than 500 minutes total (including long distance, local and in state long distance), I was paying about $60 a month at a minimum. That's $720 a year.

In the same location, with a cable modem and Vonage, I page $25 a month. That's $300 a year. Yes, the service quality was unacceptable entirely.

During the time I was in MA, I paid $44.95 a month for a cable modem. That's $540 a year.

In Florida, I've paid no less than $80 a month, including unlimited long distance. I make upward of 2000 minutes a month long distance alone. Thats $960 a year.

I pay $39.95 a month for 1.5/256 ADSL. That's about $480 a year. I'd pay $49.95 a month with the combination of services I have or $600 a year. However, because I am require to have a phone line for my DSL, I am roped into a variety of fees that are bare minimum for DSL. The cheapest I could get DSL including this is about $70 a month or $840 a year.

VoIP would cost me, because I telecommute, $50 a month for unlimited or $600 a year.

• Cable + Land line cost: $1260/year
  
• Cable + VoIP (500 min) cost: $840
  
• Cable + VoIP (unlimited min) cost: $960
  
• Cable + VoIP (small business min) cost: $1140
  
• DSL + VoIP (500 min) cost: $1140
  
• DSL + VoIP (unlimited min) cost: $1260
  
• DSL + VoIP (small business min) cost: $1440
  
• DSL + Land line cost: $1440
  

VoIP on a cable modem was reasonable at best, though it sounded like a so so cell phone. At worst, it sounded like I was calling from Australia with a cup attached to a string. One day, there was over a 2 second delay in the time I spoke and the time I heard a simple "yes" response. I always assumed this was because of the nature of cable. However, the savings is significant. There are ways to do it even cheaper than Vonage. If you need to save money, can get or have a cable modem and don't mind the possibility of low quality of service in your phone calls, this is what I'd use.

VoIP with DSL doesn't perform any better. I regularly check my DSL speed and it peaks out right near the advertised speeds. The cost savings isn't as significant, but not trivial either when comparing plan to plan. However, given BellSouth offers unlimited plans and discounts for combined services, the small business VoIP plan costs about the same as my land line services, all things considered.

Simply adding in the cost of bandwidth to make VoIP look more expensive is misleading. Personally, the cost of bandiwdth is a basic utility I'd have with our without VoIP. VoIP for the customer ain't so great in my experience, but in some cases, it really is significantly cheaper.

Re:Not lack of security

[Randy+Rathbun]

Pricing People think that VoIP is cheap compared to normal telephony. Average people spend around USD 200 per year on land line telephony. While VoIP might seam "free" you still have to pay around USD 300 for an ADSL connection.

If you are only getting a high speed internet connection to use VoIP, you deserve to part with your money. All of the people I know that use VoIP are doing so to avoid ugly long distance bills, if all you use the phone for is local calls to order pizza you really dont need VoIP.

I say both of you are wrong on this count, and it is something I could not seem to get through the skull of the lady I talked to at SBC yesterday when I called and had my PSTN shut off.

Our conversation went something like this:

Me: I am shutting off my PSTN because I am now using VoIP

SBC: Well, why are you doing that?

Me: Because I will be saving money.

SBC: Well, it shows here you have the Caller ID package. I can turn that off and save you about $10 a month and your montly service will drop to $19.50 a month.

Me: Well, I am going with VoIP for $19.95 a month, and I get that Caller-ID package. Plus I also get voice mail, call waiting, call forwarding, and 3 way calling, and whatever else the VoIP people turn on in the future.

For some odd reason she still refused to grasp what I was saying to her.

Yes, I make a bunch of LD calls, but since I normally use my cell phone for those anyway, I was already getting LD for free. Going with VoIP just made it nicer because now I do not have to wait until 9 PM to make the calls.

Re:Not lack of security

[justMichael]

Fair enough. I was just saying that if the only reason you get DSL/Cable modem is to use VoIP you are probaby not saving any money, unless you make a lot of long distance calls.

If you have a cable modem and you decide that VoIP is better than *bell, it's all the better. Personally I haven't had a land line for over a year and last time I did have a land line the cheapest you could get your bill was ~$40

The DIFFERENCE is: Script Kiddies

[Saltation]

PSTN communications are not easily physically available to most non-electronically-savvy people.

VoIP is (relatively) easily available to any computer-- it uses standard protocols and is intended to travel via networks which are physically publically available during at least some portions of a phone call's life. The access issues are those of any network crack. Exploits can be expected to be passed around thru the saddo script-kiddy-krackers as soon as discovered.

And as regards encryption -- no encryption can withstand brute force. If you are tracking someone's calls, you can simply copy them all to your own disks, then bruteforce open them in your own time. It might take a few days per call, but hey, that's good enough for most purposes.

--
Sal

Writings: saltation.blogspot.com
Wravings: go-blog-go.blogspot.com

less security than what? causing what problem?

[bcrowell]

I switched from telco to Vonage a couple of months ago, and this article has exactly zero correlation with the pros and cons of the transition as I experienced it.

First of all, if VOIP is supposed to be less secure, what is it less secure than? Less secure than telco service? That doesn't really make sense, because essentially all the people who I call and who call me have telco service. There's no such thing as a 'VOIP call' or a 'telco call.' If you stay with the telco because you think it's more secure, and then you call me, guess what -- your call went through my VOIP provider, so you're not any more secure. Likewise if I got a VOIP box that did encryption on the voice data, it still wouldn't guarantee my security if the person I was calling was using an unencrypted wireless connection on their end. And BTW, even if you're a telco customer calling another telco customer, many of your calls probably go through the internet on part of their journey.

It's also not clear to me what real problems they're claiming the lack of security would cause. The beginning of the article seems to imply that the threat is unreliability due to attacks by hackers. Well, that just isn't the real reliability issue faced by actual VOIP users. The only real reliability issue I've encountered is that when my cable modem service isn't working, my phone stops working. (But so far it's always cured the problem if I just power cycle the cable modem.) It's also worth noting that one of the main reasons we switched from telco to VOIP was the poor reliability of the telco service. We went through a period of about two weeks recently where there were telco guys working continuously all up and down the street, all our neighbors had no telco service (or patchy telco service), and we were the only ones on the block who could actually make a phone call. According to the telco worker I talked to (the big green box is right in front of my house), the issue is just that the equipment is getting really old.

They also seem to imply that there's some sort of a threat of identity theft, or that someone may steal your service. Well frankly, I'm taking a bigger risk every time I let a waiter in a restaurant see my credit card number.

Re:less security than what? causing what problem?

[mstovenour]

What many fail to realize is that there is no security in the existing PSTN. I've sat in a central office and watched as technicians patched in a T-Bird (common piece of test equipment) to listen to random conversations just for fun. Tell me again where there is security? To listen to your conversations a person must physically place a piece of test equipment in the network somewhere between you and the other party. Notice that I did not indicate what type of call I was talking about (i.e. PSTN or VoIP) That is because it works exactly the same way, only with a different piece of test equipment. Why do we feel we need encryption for VoIP calls when we have never (in general) needed encryption for PSTN calls?

Security

[secolactico]

Screw security. It does not need to be implemented on the network. It can be implemented on the endpoints, and there are already devices to encrypt plain old telephone calls.

Reliability is the key. PSTN are not more secure except for the fact that is controlled by a few and has limited application besides voice (your fax machine is not going to contract a virus that will in turn disrupt communications for everyone).

VoIP is feasible, but not over plain old internet, and it doesn't have to be. There are several telcos that use IP on their voice backbone, on a network isolated from the internet.

Imagine the slashdot effect taking down not only your company's webserver, but your phone lines as well... ;-)

911

[RoadkillBunny]

I see 911 as the biggest problem. If you are sharing the phone line with a normal internet, and you need to call 911 while someone decides to download the RedHat ISO's, you are in trouble.

Re:911

[Spaham]

Well, I'd say you were ALREADY in trouble if you needed to call 911 in the first place... ^_^

Re:911

[Daneurysm]

Wow, your priorities are way out of whack...

Re:911

[Surreal_Streaker]

QOS.

I need VoIP

[gad_zuki!]

>It doesn't really do anything that is currently needed.

I don't want to pay for a POTS line and expensive long-distance.

>It is more complicated than it needs to be.

That can be said of a lot of things. It happens to work, and well.

>Cell phones accomplish the exact same thing for the same cost and at a sadly higher reliability level.

My cell phone goes out all the time, my VoIP works all the time. My cell phone has limited minutes and when in use it pushes a few watts of energy at my head t'boot. It also sounds more like a POTS phone than the crap that a cell-phone delivers. You can speakly quietly, listen to real human sounds like quiet sighs and other things cell-phones fail at delivering. No finger in the other ear using VoIP.

>It's going to be regulated as hell sooner or later.

Defeatist much? Even regulated that doesn't mean it will be unafforable or even more expensive. The last round of complaints have more to do with calling your local 911 service and many VoIP proviers already have that function working.

>It's not a satisfactory long-term solution.

Says you. Only the five richest kings of Europe will be able to afford computers too.

we already use voip

[unclefungus]

most of the thing the telcos do is VoIP already! the pstn is just for that last mile. once your connection hits the nearest box, it becomes Voip and is shot over the internet to the next nearest box to the other conversationist and back into a soiund singnal. this just gets rid of the middle man. there is no reason to have to have two different connections for what should be the ame thing! The telco are holding back the emergence of voip just like the oil co's were doing for the electric car. Does any one else realize they don't have monopoly on communication any more?

Re:we already use voip

[Roydd+McWilson]

Most standard telephone networks do NOT communicate over the Internet. Telephone companies have separate networks for phone calls only, which use different protocols and associated hardware than IP in order to guarantee high reliability. Furthermore, they have the appropriate legal agreements with their peers to make it a big incentive that even when your call has to pass through a different company's network, you will still receive the desired level of reliability, delay and audio quality.

Another article on this subject...

[ManxStef]

...over at SecurityFocus - Voice over IP Security by Matthew Tanase

Re:Security isn't the problem - False

Security is not holding VOIP back.

False

The exact topic of interest was security in a VOIP discussion recently on a mailing list. The lack of an end to end security solution (ssh/ssl/?) with Vonage agent-in-the-middle snooping possible is the exact problem.

Had this not been the problem, we would have been one of the first customers of Vonage, and would have had multiple locations set up first with those Vonage/Linksys appliances, and later with something more robust as we looked into it further.

Security of calls is the most important thing to consider when considering voice service. Even before quality. You can spend a penny a call, or a buck a call, and it doesn't matter which if the security is not there because when someone gets a hold of information from one of your bank/business/insurance accounts, then the game is up. Think whole life insurance with a couple hundred grand in cash value, not car or house insurance. Or a deposit account for a construction company. One penetration, and you will lose a 100 years of phone bills.

You'll understand what I'm talking about after high school and college.

just look at how analog cellphones prospered. We all know how easy those were to listen to.

This shows your age. Even more so than my initial misreading of the line as analog cordless phones instead of analog cellphones.

When analog cellphones came out (I won't start with the very first ones) they were about $700 a piece, and $5 a minute. The only ones using them were doctors, stockbrokers, drug dealers, and a select few others with the company connections or money to waste on them. While it was common knowledge among hams and cd radio fans that you could pick up the conversations with scanners, it wasn't well known among the actual users how easy it was. I knew a few users back then and warned them, and they dismissed my concerns.

Back then, a scanner capable of picking up analog cell phones (without modifying a cheaper version) cost $299. And you could pick up not only analog cell calls, but marine bands as well. Quite a few times I heard ship to shore calls being placed to a shore operator that required the guy on the boat to read his credit card details over the air to pay for the call. Of course, when I heard such calls, I changed frequencies immediately. I was interested in what fish were running where, and who was catching what, and where, not credit card conversations.

One difference then was that the number of scanners were limited (my scanner was the first one sold at a busy electronics store in close to a year at that time). Another difference was the threat of heavy jail time for intercepting the calls. There were regular announcements of busts for intercepting the calls, but the announcements for cloning the phones later far outnumbered the ability to listen in.

The only reason that listening in on analog calls was brought to people's attention was that the cellular companies had paid billions for digital spectrum, and wanted to move everyone off analog. So the scare stories started streaming out regularly after that.

How in the hell you got modded up to a 5, especially after someone else corrected your mistake on the title is beyond me. You must have a lot of alternate ids and mod points on them. I can't see any other way.

SIP

[Servo]

I use Vonage (SIP Phone) on my nat/firewall connection at home, and it works perfectly fine. I'm not sure if you are aware how these technologies work at all...

Re:SIP

[devilspgd]

Sure, with a central server it's easy.

It's not so each if you want to establish a direct VoIP call with both people behind a NAT router that they don't control.

Converged Security

[Effugas]

Voice over IP actually creates some particularly hairy security problems that traditional approaches really, really don't manage well. Some disclosure: I work for Avaya, one of the big vendors of large scale VoIP systems, though much more for the enterprise market than for anything to do with the public space (Vonage, Packet8, etc).

Lets start by looking at the wire protocols. We have two separate domains within which VoIP operates: Signaling, which determines where a call should route, and traffic, which is the actual stream of speech that needs to arrive at its destination in under a tenth of a second. These are very different protocols. Signaling was originally implemented using H.323, which can be basically thought of as a port of the existing telephony protocols (SS7) to IP.

H.323 is...well...not entertaining to work with. It's a very messy protocol. To a first level of approximation, H.323 is being reimplemented with SIP, which applies the semantics of HTTP to VoIP signaling. SIP is still complicated, but in a more manageable way.

Whether one is using H.323 or SIP to route calls, the actual traffic is moved over a relatively simple protocol entitled RTP. RTP basically involves chunking compressed audio into small packets, attaching a timestamp and a codec identifier, and throwing the packet at the appropriate host. UDP Port selection is managed dynamically by whatever signaling protocol is being used, meaning a firewall either needs to open the entire range of ports that VoIP might use (not small) or it needs to directly parse the signaling traffic to determine what ports to open.

Remember how both SIP and H.323 are both very complex protocols? Add in that complex protocols can hide many security vulnerabilities, and put that complexity in the firewall: Mistakes are made. (That's not theoretical -- a recent mass audit of H.323 exposed holes not merely in VoIP endpoints, but VoIP-aware firewalls. Microsoft, who actually has a pretty impressive firewall solution, was hit pretty bad.)

It's now that we can start discussing the differences between Enterprise VoIP and the kind of PSTN-Bridge VoIP that Vonage sells. Phones in enterprises receive connections from every other potential phone -- in other words, there's generally no central proxy that copies all the traffic towards where it needs to be. In the enterprise world, there's relatively few firewalls inside the corporate network, those that are deployed can be made VoIP aware, and the "central gatekeepers" really only manage directory services (go to this IP for this extension), conference-call mixing, and in the Avaya case, encryption keys.

You don't have that situation in the public realm. Firewalls -- which are everywhere, as deployed through NAT -- simply won't accept incoming connections from hosts that a backend client wasn't communicating with in the first place. But that's almost OK, because the only host a Vonage box needs to communicate with is Vonage itself. So if you actually examine the Motorola device that Vonage is presently deploying, you'll see that it itself accepts almost no incoming connectivity of any form that doesn't appear to come from Vonage itself (just DHCP and ARP, basically). The public providers basically proxy all traffic, because they have to: Nodes on the public PSTN network (normal phone lines) can't be told to just send IP packets at the Motorola device. So the proxying is basically mandatory.

It's ironic that, at least at the moment, PSTN integration carries with it an architecture that's infinitely more wiretap-friendly than what VoIP could eventually become. Tapping a complex mesh where any node often communicates with every other node is difficult-to-impossible to do, at least with any form of reliability. Create a finite number of junction points that must be passed through in order for connectivity to be established, however, and tapping becomes feasible.

AOL Instant Messenger is the most interesting va

Two things holding it back.

1) Cell Phones.
Why do I need another phone? I get excellent coverage and my calling plan is flexible.

2) Crappy ISP's
I would not be willing to deal with the latency/bandwidth issues. Until you have QoS from point A to point B, VOIP will be an annoyance.

Not held back!

The large phone companies as MC*, AT*T, etc actually channel the international phone calls thru VOIP. In some countries, this is done illegally via private contractors in that foriegn county. This way, the US based company pays that contractor (or corrupt official) a lower ammount than they have to pay the local government, and that contractor will channel the calls thru their servers to the local network.

If you happen to be in one of these countries (as Lebanon), you will notce that some of the international phone calls you receive have a local "caller ID" number.

Large companies are already using this to rip the third world countries and pay less international fees.

Tha said. I do not think VOIP is heal back. It just takes time. I do not hink that the PSTN systems took off overnight.

What we need

[chunkwhite86]

is something with the versatility of SSH, but that works on UDP. That would answer this problem.

Security is not the big problem...

[Zed2K]

I'd say reliability of ones high speed internet connection is the major problem. With a normal phone you know its always going to work. Whens the last time you've had a phone problem with the line coming into your house. You can even use the phone when the power is out. But with voip, power outage or your provider going down takes out your phone too. Until they get reliability up on par with a normal phone line I'm staying away from it.

How secure are landlines...

[SmackCrackandPot]

In the last apartment complex I lived in, the telephone lines to all the neighbors living above me, travelled down a conduit that went through one of the inside walls of each apartment, which could be accessed simply by removing the faceplate to the socket. The builders didn't exactly have security in mind.

And there are always stories of people finding unexplained telephone calls billed to their account, only to find out someone else had jacked a patch cable to their line on an outside wall.

Re:How secure are landlines...

[ceo2]

let's face it, any form of voice communication is open to room bugging -- the big point is how open the system is to remote and automated access. PSTN is not really foolproof but it did place a legal responsibility on the provider to keep the lines secure -- you knew who to sue. Upgrading PSTN to all-optical would suppress the vast majority of casual hacks. Are you prepared to loose all 'assurances' that the party called is actually there? Anyone care to comment on the stress created by this modern anonymity?

Call me a conspiracy theorist, but...

From that page:
"Given that the software has not been maintained since 1997, we doubt it would run on most modern systems."

So it presumably ran OK on 1997 hardware - it should FLY on today's! There's a different reason they're not even distributing it in source code form. Figuring it out is left as an exercise for the reader.

Lack of area codes are the problem

[eberry]

I am more than ready to order Vonage and ditch my landline. I was ready to order months ago. But they don't have my area code. They just added Columbus so I can only hope they are adding Cincinnati next.

Parent is a PLAGIARISM TROLL!

Copied and pasted the comment directly from a security presentation:
http://216.239.53.104/search?q=cache:Piev_YARt1sJ: www.hivercon.com/conf/archive/hc02/Arkin_IPTelepho nySecurity_HC2002.ppt+%22terms+%22Phreaker%22+and+ %22Hacker%22+to+come+closer+then+ever+before%22&hl =en&ie=UTF-8

I'd Say Incompetence Is Holding It Back

[Master+of+Transhuman]

City College of San Francisco just switched to VoIP for their internal phone network.

It's been a disaster. Phones cut people off, the wrong people get transferred calls, weird noise on the phone line.

I'm waiting for the whole system to go dead any day now.

One of the IT guys who helped install it keeps an analog phone in his office just in case.

At least the fax phone line in Registration is still analog.

I read a Cringely report in InfoWorld where a company had VoIP and when it prevented customers from calling them, they didn't know it until the voicemail overflowed - and then they couldn't call support - because the phone didn't work.

VoIP - nice concept - bad execution.

Re:I'd Say Incompetence Is Holding It Back

[Randy+Rathbun]

I'd say the dumbass the installed the VoIP needs to go back to installing print drivers for people.

COPY AND PASTE TROLL

i see you copy and pasted it from
http://www.newport-networks.com/whitepapers/scwpes 2.html

looking at your posting history you seem to be fooling most of the mod's
shame you couldnt join in with your own thoughts though really, have you thought about doing something else with your time ?

perhaps you will understand once you hit puberty

Encryption

[zin]

VoIP isn't as secure as a circuit switched PSTN. Many experts agree that there is a reasonable expectation of privacy over a POTS line that doesn't exist in any shared (unencrypted) network like the Internet. I bet if you did a trace to your VoIP providers network you would pass over quiet a few network before you get to your destination. All it takes is one owned box on either end to start sniffing all that traffic. VoIP add complexity and technology to solve the problem of end to end voice communication and with that complexity comes more chance for insecurity.

Is Security Holding VoIP Back?

[netcaretaker]

It is called IPv6, whenever that happens, just like QoS someday the ISP's will have that also, someday......

Insecure by design

[duffbeer703]

Nobody wants a secure telephone network.

The benefit (privacy from snoops) is far outweighed by the inability to intercept criminal or other communications.

Re:The DIFFERENCE is: Script Kiddies

[Daneurysm]

I'm really asking to be modded down with this, but but, what the hell are you talking about?

PSTN is not available to the non-tech-savy people!!???

Umm, that's just about the only phone service I know of available to the "non-electronically-savy" people which you speak of.

In light of this all of your other "points" are absolutely moot. Sorry to come off like an ass, but, do you have any idea what the PSTN is?

~Dan

Because...

[Sanity]

...its easier to hire someone than to fire them - and the /. crowd won't admit that hiring him was a mistake.

unlimited bs

[quonsar]

"With the unlimited [calling plan] product there is the obvious possibility that someone would use the credentials with a PBX -- or with multiple units -- to make significantly more 'unlimited' calls than a normal user"

well. sucks to be you then. perhaps if you stopped using weasel-words like "unlimited" when you mean "we have a very definite upper limit"? or perhaps a corporate lie-monger like ravi here would enjoy an unlimited prison term in which to ponder the sleaze inherent in misrepresentation of the product to the consumer, hrm?

Hang on, that's a different topic

[Saltation]

Your post (and outraged indignation :) confused me unti I realised we were talking about 2 completely different topics.
You are referring to people being able to pick up a phone and talk to someone via PSTN. And you are absolutely right. Both PSTN and VoIP (or CDMA or GSM or blahblah) are usable by any user; the underlying transport technology is utterly irrelevant to them and usually unknown by them: it is "transparent" technology in the old now-near-forgotten UI terms.

But that's not this discussion's topic.
The parent slashdot topic was focussed on (Lack of) Security, not the end-user interface -- the ability to step behind the curtain, as it were, and access someone else's phone call. So my post wasn't referring to Joe Public trying to sort his evening's pizza, but rather Fred Blackhat trying to listen in on the call ("Ah HA! Pepperoni... we have him now...").

The key thing I was trying to point up was that a MAJOR difference in the practical security of VoIP vs PSTN is not technical, but cultural/sociological: the motivation of the people with VoIP-cracking skills is much less likely to be confined to professional work than those with PSTN/POTS/CDMA/GSM skills.
To put it another way, the difference between a gun and a murder is motive.

The average trained telecoms engineer or even technician will have trained in a formal environment for several years to gain these skills, and will overwhelmingly tend to be using them in a normal professional environment, and as such will tend to have a normal social skillset and social life. Few telecoms technicians believe they will gain professional cred by cracking a network -- most skilled ones recognise that any engineer can do it, it's not hard for them (remember the bored "so what?" response to the gosh-wow announcement by that Israeli uni crew that they'd "cracked" GSM?).

In the IP world though, you've got the script kiddie syndrome. Find a crack for the sake of peer props, then propagate that crack. Fred Blackhat no longer needs 4 years training and expensive kit, he can just hang around on some IRC channels and wait for the current crack.

And yes, this risk only applies to the portions of the traffic that go by public networks. But it's still there and Joe Public can't know which calls are all-private and which travel on public networks. And don't underestimate your exposure. I once got a direct email in London from an unknown student quoting stuff from a private email to some friends in the Baltics. I traced it back and then started wandering round some networks and worked out a pool hall where me and these friends had killed some time surfing while waiting for a table one night, had had network access provided by an extension of the uni network, one machine from the CS dept had briefly served double duty and now acted as a gateway between the uni and the pool hall (among many others). To cut a long story short, due to a brief period of technical shortcut followed by unexpectedly explosive growth in a commercial extension of the university's underused top-quality infrastructure, the uni's CS students can monitor & intercept a great deal of "commercial" traffic in that region. OK, they're still at script kiddy mentality of showing off. But in future?

In assessing your own practical risk, you have to take a position on how many silent timebombs you believe are sitting around your own country, waiting for a good reason to be used.

And you might like to hesitate a moment and reflect that your own IP traffic is increasingly likely to be routed via a low-cost high-tech country sometimes, according to the whims of the market... Remember where DarkAvenger came from?

cheers, Sal

--
Sal

Writings: saltation.blogspot.com
Wravings: go-blog-go.blogspot.com

Linked Comment

[Saltation]

Hmm, institutionalised corruption was a further wrinkle I didn't think of. Check out the last few paras of this thread for a complementary look at other hidden international exposures.

Unfortunate Realities

[Saltation]

Hmm. Some related threads of a mere-practicalities-of-a-commercial-world nature.

• Any tech is crackable with physical access and special kit and special training. You will always have lots of people in a position to crack any technology, no matter which one you look at.
• It's not technical difficulty that matters, so much as how motivated people are to do it.
• International exposures from bored highly skilled low paid people in well resourced high-tech areas that your calls can pass through without you realising.
• Institutionalised Corruption in some regions your IP traffic can invisibly flow through
• It only takes one compromised box anywhere in the stream

--
Sal

Writings: saltation.blogspot.com
Wravings: go-blog-go.blogspot.com

Easy to hack

[lorcha]

Tell me how would you go about overhearing a circuit in this circuit based network?

1. Fly/Drive/Walk to the location of the person you wish to overhear.
2. Attach lineman's handset to circuit you wish to monitor.
3. Listen to super-secret conversation.
4. ...
5. Profit!

Re: Is Security Holding VoIP back?

[N7DR]

Of course, the question really is: "Is Lack of Security...?" but in any case, given that the PacketCable Security specification (which covers the security for running IP-based telephony over cable systems) runs to 377 pages, I think that one is forced to conclude that, whatever is holding VoIP back, it's not [lack of] security.