Slashdot Mirror
VoIP Security
An anonymous reader writes "Whitedust are running an interesting article on the security aspects of VoIP. From the article: "The fact that VoIP operates across standard networks makes it vulnerable to all manner of IP hacking - including man in the middle attacks,sniffing, session hijacking, etc." Considering it's recent growth, how secure is VoIP?" PCM2 sent us a wired bit about Phil Zimmerman of PGP working on a privacy system for Voice over IP calling
From TFA:And all these errors are in just the introduction.
Now, I don't expect perfection, but the sheer amount of errors present here is beyond the pale, and renders the reader incapable of trusting the subject matter presented, or taking the author seriously.
Mr. Anderson, about 98% of the errors in your article could have been avoided by the use of a simple spell-checker. Nowadays, people don't actually need to know how to spell, as we have software to do that for us...but you have to actually use the software.
____
~ |rip/\/\aster /\/\onkey
I use Gentoo; how does this affect me?
I have never worried about man in the middle attacks on the internet. To be successful, it requires very good access to my ISP or the backbone carrier's network which is hard to do. Even if they can get that access all they can do is listen to my calls, have a chat with me and the other person or maybe hang up the call. Any attacker listening to my calls is going to get very bored very quickly. If they do the later two, it could cause them to get caught because I'll complain about the problem.
The only security problem I see is if the attacker can learn information that lets him make calls billed to my account. This becomes the VOIP vendors problem anyway. When I notice something wrong with the bill I'll do a chargeback on my credit card for the bill and simply change VOIP providers. If this happens a lot, the VOIP vendor will do something about their security problem.
Or am I missing something?
Hi Hun, I am gonna be a bit late tonight
I thought you were going to give me a lift to Tinas?
Thats tomorrow, have you been taking my pain killers again?
No... erm... ok I'll see you later
*click*
Wait, we are being line-tapped
Oh my god! Execute the Omega 13 Device!
*end of world*
Really - if you want security, talk in tongues, or use a third party audio scrambler, plus encrypt the session. (then unencrypted it will just sound like noise). Plus standon one foot while you talk, and occassionally look through the venetian blinds for snipers across the rooftops.
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Because there is no way in the world I could just go to you telephone access box with a phillips head screwdriver and pull your connection.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
There is a program called Cain that can sniff VoIP traffic (as well as other things) and turn it into a wav file if it understands the codec. There is a video on how it works at: http://www.irongeek.com/i.php?page=videos/cainvoip 1
Cant we just stick to regular telephones? I dont want my 911 call to be interrupted by a denial of service attack...
Indeed. I have spoken about this before. In fact from TFA:
Considerating the stability and reliability of the tradional telephony networks - a product of decades of work - it seems foolhardy to replace it.
I couldn't agree more! All the power to people who use VoIP or cell phones as a primary line. But anyone who completely abandons POTS at this point is jumping off the diving board with no idea of how deep the water is. POTS is damn near 100% reliable (short of drunk guy hitting pole outside your house), it survives power outages and I don't think it can be brought down by a buggy TV in your neighbors house. A friend of mine lost Roadrunner and TW's digitial phone service for two days because of a TV next door that was leaking RF onto the coax network.
More to the point, if these services are going to be sold as a replacement for your POTS line then they damn well ought to be regulated like your POTS line -- with requirements for reliability and appeals processes if you get hosed.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
I humbly agree because even though I like the idea of Voice over IP, it needs more development. Just remember when cellphones were new and alot of people died because 911 couldn't be reached by the cell phone.
Go to the w3.org and put Slashdot.org through the validator.
Fair enough.. "if it aint broken don't fix it" but seriously.. how old are those phone wires that are laying in the ground??? The advantages of VoIP is amazing... the cost on Long Distance is ridiculous... POTS might not be broken.. but what happens when those wires do need to be replaced... i'm positive nobody is going to be jumping in and re-laying the wire..
Losers whine about their best, Winners go home to fuck the prom queen
Of course, now ask how many cable compaines are actually deploying fully PacketCable-compliant systems with all the security turned on the way it was designed to be.
Please visit the VoIPsec archives, before assuming that any one article could cover it all. There you could find links and comments from some of the most pertinent contributors to this subject.
== With enough Will Power, one could move mountains. With enough Brains, one would just leave them where they are ==
Was a neat little app a few years back for simple IP-IP VoIP that was (supposedly, never checked) well encrypted, it converted the key in to english words that you could say in your own voice to confirm that you weren't a victim of a MITM attack
http://web.mit.edu/network/pgpfone
/* FUCK - The F-word is here so that you can grep for it */
I think you're mostly correct. The only thing I worry about is the casual call to a company you do business with that requires you tell them your SSN over the phone to set up or make changes to your account.
I'm a big tall mofo.
The majority of people are going to be getting their VOIP service from someone sitting in their basement, or from Skype or somesuch. Their going to get it from their ISP, which will provide a security layer of some sort - separate VPN, encrypted trunks, etc.
Anyone who believes that this is some 'golden age' of free communications is on crack. And cheap crack at that.
-- I care not for your foolish signatures.
The advantages of VoIP is amazing... the cost on Long Distance is ridiculous... POTS might not be broken.. but what happens when those wires do need to be replaced... i'm positive nobody is going to be jumping in and re-laying the wire..
And exactly what kind of wires do you think your internet connection is coming in on? Do you worry about the wires when you talk about VoIP? And, yes, they will replace the wires. Pretty much the only copper part of the PSTN left is the local loop from the CO to your house. And Verizon is even trying to fix that. Who do you trust more to deliver bulletproof service? The phone company who has a history, experienced people and several layers of regulation -- or the cable company who has no history in telecommunications, not as many experienced people and absolutely no regulatory oversight whatsoever.
I think it's somewhat telling that even Time Warner isn't yet brave enough to offer their VoIP service to businesses. Businesses tend to complain and sue when they lose communications.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
" I dont want my 911 call to be interrupted by a denial of service attack"
But what if a boulder rolls over the telephone poles? What if a hijacker flies a plane into your phone box? what if a earthquake wrecks the local phone company office?
Better get a cel phone, but what if a massive blackout knocks that out? Maybe you better get some carrier pigeons just in case.
My VOIP service costs 1/3rd what i was paying for bare-bones service from the local phone co. When i call support, my VOIP co has a human being on the other end. They have never slammed me with unwanted services, and they have never charged me for someone elses phone calls.
VOIP is better than landlines in every concievable way as far as I'm concerned. Why everyone harps on 911 service so much is beyond me. Why does everyone think the world is going to end if they cant immediately get ahold of the layabouts at the local 911 office?
Last time I called the cops it took 3 hrs for them to arrive anyway, and I live 4 blocks from the station.
If you have a set of aligator clips and a phone. Or a set of diaganol cutters (DoS attack).
I mean, really
- Brian Roach
Wouldn't it be simpler, more effective and thus cheaper to secure IP communication instead of securing Voice over IP, HTTP over IP, SMTP over IP, FTP over IP and whathaveyou over IP? There even is a standard for secure IP communications, inconspicuously called IPSec. Stop the nonsense and start using encryption where it benefits all protocols.
POTS is damn near 100% reliable (short of drunk guy hitting pole outside your house)
:)
(and the rest of what you said was good)
I live in a college-heavy neighborhood, in a DUI-heavy state...you'd be surprised just how often this can happen (though I lose power more often than phone).
I once had drunk drivers crash into some box two houses down that apparently my home power runs through twice in three weeks. Same box. Different cars. No joke. And it wasn't even the snowy season.
Of course, this has nothing to do with VoIP security...
Can't something like OTR (Off The Record messaging - http://www.cypherpunks.ca/otr/) be applied to SIP or IAX conversations? I know it was designed for slow, IM-type packet traffic, but the crypto is there. It can't be that hard :)
"The phone company who has a history, experienced people and several layers of regulation -- or the cable company who has no history in telecommunications, not as many experienced people and absolutely no regulatory oversight whatsoever."
Well the VOIP provider has one important motivator that the phone company lacks.
Competition.
The bells seem to think that whatever they want to do is okay. Youre stuck with them, they dont have to be honest in their billing, It costs the telcos nothing to enable caller-ID, indeed it is an integral part of the POTS system, so why do they charge extra for it? Because they can.
They can slam you with extra services you never asked for, and then endlessly transfer you from department to department when you try to cancel.
The phone company has a long history of fraud, lackluster service, and hostile customer service. I'm glad im no longer stuck with them.
TW's serice sucks? Try vonage or any of a dozen other providers.
TW charges too much for their VOIP anyway.
I live in a college-heavy neighborhood, in a DUI-heavy state...you'd be surprised just how often this can happen (though I lose power more often than phone).
Hahaha, nice. I should have pointed out that odds are the drunk guy hitting the pole would also knock out your VoIP service too -- unless you have a wireless internet connection and a laptop/UPS. My main point was that in my 30 some years on this earth the only time I can ever recall the phone not working was when somebody hit the pole and ripped the wires down.
YMMV with ice storms/t-storms/what have you. But the big point is that short of physical destruction of infrastructure your POTS line is going to have dial tone and is going to work as advertised.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
There was once a product called PGPFone that would do VOIP with PGP encryption. I have not seen anythign about this is wuite a while. Is the project still around?
I don't know what this fuss is about. Over here, people have been abandoning POTS in masses since years and moving to ISDN, with similar consequences in case of a power outage. Most people don't use an ISDN telephone, but a small PBX which usually requires external power for itsself and the phones connected to it. Everyone else is using wireless phones (DECT) with a base station that requires power. People don't seem to care about the availability of their phone system, 99.something pwercent availability seems to be good enough for most. I'll stick with my nearly indestructable 1948 bakelite phone.
I mean, negotiating a private key between two hosts is trivial, just use the good old DH key exchange thing. Could even use IPSEC for the actual encryption, no need to reinvent the wheel and add crypto to the VOIP protocols, just do those security associations when you setup a call.
:(
The downside is, that a MITM is possible to get the key, but that's pretty damn unlikely compared to people just sniffing and listening to your call or blindly injecting data to an existing one. From what information is available about Skype, it does something like this, I believe.
But, designing horribly complicated systems that cover the corner cases seems to be the norm, and those get ignored due to complexity and thus everyone does the unencrypted thing in the end
Their website lists their numbers as: "Tel: 00353 - (0)87 - "...etc numbers, so they're not in North America.
This: (Mon, 14 Feb 2005 16:57:12 +0000) also suggests a European country (I think). So maybe English isn't their first language.
Anyone have experience or opinion on Speakeasy's VoIP service? They claim it all takes place inside their 'private network', but is it really safe? As an alternative to the bells it's very attractive, plus it's less expensive. It would be handled through my DSL, which I get from them, and it hasn't been down since we got it in feb of this year.
bad_outlook
--
Is this vague enough for you?
Well the VOIP provider has one important motivator that the phone company lacks.
Yeah, because between VoIP, the cable company and cell phones (none of which are regulated or held to the same standard) the baby bells have no competition at all. Do you really beilive that?
The bells seem to think that whatever they want to do is okay. Youre stuck with them, they dont have to be honest in their billing, It costs the telcos nothing to enable caller-ID, indeed it is an integral part of the POTS system, so why do they charge extra for it?
Really? It's been my experience with Verizon that they are a million times more responsive to me then Time Warner. You think they purposefully screw people on billing? What fantasy world are you living in? The FCC, FTC and PSC would come down on them like a ton of bricks.
The phone company has a long history of fraud, lackluster service, and hostile customer service. I'm glad im no longer stuck with them.
As opposed to the cable company (your other main provider, lest you forget) who has a long history of being honest, great service and friendly people that put Wal-Mart greeters to shame. And even if your local phone company still has these monopolistic attitudes you have an appeals process through your state regulatory agency. The NYPSC has never once failed me and the three times I've gone to them I had my problem solved within two hours. Try that with VoIP or cable.
TW's serice sucks? Try vonage or any of a dozen other providers.
And where do you think the internet connection for vonage is coming from? Oh, that's right! DSL or cable!
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
The Cisco callmanager can set up calls to be encrypted end-to-end.
People don't seem to care about the availability of their phone system, 99.something pwercent availability seems to be good enough for most.
Cell phones might be at 99% but VoIP isn't even close. And those people will care when they have a heart attack during that 1% of the time.
Think that's a remote chance? Take a 1% downtime and apply it across a couple hundred thousand users. It's only a matter of time.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
My biggest concern for VOIP is SPAM. Imagine the network sniffing your VOIP (or data) traffic and deriving the hours you are most likely to be at home. Useful info for direct marketeers or for your bombardment with pre-recorded audio advertisements per VOIP. Your VOIP phone will pollute as quickly as your email inbox. Icreased nuisance at a yet unknown magnitude.
... sorry the point i was trying to get across but failed at was that VoIP is independent of the media.. you can use VoIP if you have wireless internet, Cable Internet, Fibre Internet.... POTS is dependant on the media...
Losers whine about their best, Winners go home to fuck the prom queen
Since when have good old fashioned telephone systems been secure? I can't count the number of times I've picked up a neighbor's conversation from their cordless phone. Although I'll agree that the scope of the attack may be broader with VOIP (after all, my neighbors phone only puts out enough power to be picked up within a certain proximity), I think an expectation of privacy on any current phone system is a flawed assumption at best.
Considerating the stability and reliability of the tradional telephony networks - a product of decades of work - it seems foolhardy to replace it.
[sarcasm] Yeah, fuck progress! [/sarcasm]
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
>POTS is damn near 100% reliable
My phone company charges $12 for my no-frills service. Somehow the bill I pay is $45 after all the fees and taxes. Those extra charges are the main reason I'm considering bailing from POTS to VoIP. They'll catch up sooner or later, but for a time, I can keep some of my money.
Heck I might have some cash to enter the sucker mill^H^H cell phone subscriber pool.
VoIP not secure?! Oh noes!
Next they'll be telling us that crazy things can happen like getting your regular phone line tapped...I mean, total crazy talk here.
"Yeah, because between VoIP, the cable company and cell phones (none of which are regulated or held to the same standard) the baby bells have no competition at all."
Yes thanks to VOIP they have competition now, which you seem to think is a bad thing.
"Really? It's been my experience with Verizon that they are a million times more responsive to me then Time Warner. You think they purposefully screw people on billing? What fantasy world are you living in?"
Im living in a fantasy world where my phone bill went up 25% every year despite no appreciable improvement of services. Im living in a world where i found out one month i was paying $15 extra every month for voicemail service i had not asked for, and indeed wasnt even getting. Im living in a world where when i called to complain about this practice i was told that there was nothing the phone company could do about it but continue to charge me for services i wasnt getting.
Poo poo TW all you want, after the ice storm they had my lines back up the same day, whereas it took nearly a week to get the phone company out here. And then they charged me for the visit.
True, you can get a response from the phone companies if you contact your lawyer, the state attorney general, a few congressmen, and the pinkerton boys, but i prefer to do business with people who are hungry for my business and eager to satisfy their customers.
TW has been good to me, but if they hadnt, well i have alternatives there too. I guess im lucky to have more than one cable company in my area.
If it all came down to it, i would go without phone service altogether before i went back to my local phone company.
Failure of a VOIP line is generally not a life-threatening event. For a backup, use your cellphone. For a backup to that, use your neighbor's phone. If your VOIP or digital phone fails, along with your cellphone, along with your neighbor's phone, and you have a life-threatening emergency, then you're just screwed, but how often does that happen?
Keep risk management in perspective. In the case of a business, I think it would be a good idea to keep at least one POTS line, to prevent a total outage of phone service. VOIP would be very useful in the business world to keep down the cost of long distance calls, and the quality is good enough.
Considering risks vs. rewards, VOIP is a good idea in most cases, although it is worth remembering that it is not 100% reliable although nothing really is.
http://www.acmqueue.org/modules.php?name=Content&p a=showpage&pid=209
Considering I can walk up to 90% of the houses on the street. open up the phone box, and plug a lineman's handset (or anything else) into the phone line...how secure is the PSTN?
If you think the PSTN is really secure, you might want to look through some old issues of 2600...
-- OpenVerse Visual Chat: http://openverse.com
Furthermore, lots of people have cordless phones and don't have a wired phone as a backup. Cordless phones do not work in the event of a power outage.
Electrical noise can certainly bring down a cordless phone, even the nifty new 5.8GHz ones. Wired phones are definitely less vulnerable to noise, but not completely impervious. High amounts of electrical noise can generate interfernce and affect voice quality and even reliablility -- even on a wired phone. I disagree. Much of the regulatory infrastructure is based around the idea that phones are 'hard-wired' into the PTSN. With VoIP, I can use my phone anywhere in the world that has high-speed Internet access. What happens if I have an outage while I'm on vacation in another state or even another country? Who's responsible? My VoIP provider probably can't be held liable...My blog
Let's face it, cell phones can't be relied on either. They drop or fade out seemingly at random, and I know for a fact coverage in certain residential neighborhoods just plain isn't up to snuff anyway. And I'm talking the fairly dense Bay Area suburbs, not Pigsknuckle, Arkansas here. And what happens if/when the neighbor doesn't have a real landline either? Isn't that the logical goal of the hard-core VoIP pimps? To bring down that evil Ma Bell? If VoIP really does take off at the consumer level, your next three neighbors may not have a real landline. What would you propose to do then? Hope there's a payphone around?? (remember THOSE??)
" In the case of a business, I think it would be a good idea to keep at least one POTS line, to prevent a total outage of phone service. VOIP would be very useful in the business world to keep down the cost of long distance calls, and the quality is good enough."
It is good enough, and that's exactly what we do. I have a VoIP "line" from AT&T at our business for outgoing long distance, plugged right into our phone system. It saves us probably $200 - $300 a month in long distance (You should see what business LD costs - it's ridiculous).
- Brian Roach
Wow, I *never* realized that you could do all of the same things to VOIP that you could do to a regular phone line with a couple alligator clips.
Folks, you have to remember that this article talks about the so-called nomadic voIP-services.
I've been using VoIP for the better part of two years now, and it's maintained by my ISP. I run it over the Ethernet hookup I have, and as far as functionality is concerned I hardly notice the difference from POTS.
Outages? I've had two. Once when my apartment lost power (thus the VoIP-box lost power) and once when some major link in my ISP's chain went down. As a matter of fact, I've had FEWER problems with VoIP than POTS. My ISP/Telco also didn't charge for the days (two) of outages, of course.
As for packet priority, I can max my line, and since the phone is a non-nomadic VoIP the sound is still crystal clear since the ISP uses traffic-shaping (or something) to always put priority on the VoIP-packets.
I enjoy large posteriors and I cannot prevaricate.
I wonder how long it will be until things like VoIP encryption is illegal to implement on the user-to-user end. Once the government catches wind via some wacked-out organization, they're going to be pushing legislation to ban such products - all in the name of preventing terrorism, of course.
Heck, my opinion is it's only because of the history of the open nature of computing that this industry is allowed to have encryptions like SSL where the government can't tap the line.
And if you don't believe me, see the recent treaty discussions going on in the senate right now that requires participating nations to take up laws which include wiretapping.
A community-oriented lyrics site
The way I see it, the biz model of bells is long gone. What should be happening is that we should pay a flat fee to call anywhere in the world, and telcos will have to use that fee to do maintenance on the lines, and stuff like that.
VoIP is driving us there, it'd be a smart move of the bells to get there as well. They just have to understand that the pay-for-long-distance is not a valid biz model anymore.
Why not to try Skype and then talk about VOIP security? Skype uses AES (Advanced Encryption Standard) - also known as Rijndael - which is also used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates. It's really strong VOIP encription. I think skype is great, and skype community is growing, thank to share.skype.com blog. Skype gives free SkypeOut day's, two more left. And I use http://skype.i-loveyou.info/ to don't miss any of that days.
Why not to try Skype and then talk about VOIP security? Skype uses AES (Advanced Encryption Standard) - also known as Rijndael - which is also used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates. It's really strong VOIP encription. I think skype is great, and skype community is growing, thank to share.skype.com blog. Skype gives free SkypeOut day's, two more left. And I use http://skype.i-loveyou.info/ to don't miss any of that days.
Try telling this to a judge. In the event that a security breach does take place (resulting in, for instance, loss of customer data), businesses don't want to be in the position of saying "but you could have sniffed that traffic just as easily on a POTS network, your Honor." Using POTS is the standard for security, and as bad as it is, you don't unduly expose yourself to liability by using traditional telephone lines.
If you run a business and dicuss sensitive information over the phone, you're exposing yourself to an unncessary risk by using VoIP. The addition of encryption would make VoIP more appealing to businesses, and (done properly, ideally with end-to-end capability) would even be a significant selling point.
I would have thought the obvious solution would be something like SIP over SSL {which should be easy enough to set up, if Asterisk doesn't already have such a feature}, but maybe I'm missing something obvious about SSL that would preclude it.
PGP-type encryption would be good {key servers, if you use them properly, are incredibly powerful: post your out-of-date private keys and now nothing you ever signed using any of them can be authenticated!}, but it isn't transparent.
Whatever solution is adopted, it must be network-transparent, and the user must have the right to view the source code. The Authorities no doubt would love us to be using something they can tap, on the basis of "protecting" us from terrorists and drug dealers; but if terrorists and drug dealers are known not to be using the system because they know it can be tapped, then there's no point tapping it in the first place!
Je fume. Tu fumes. Nous fûmes!
Considering it's recent growth
"its".
There's already an encryption spec for VOIP. Nobody seems to use it.
I'd worry about the market for a new product when the demand has already been tested and found wanting.
Then there's always the option of running your calls on a VPN, as several people have pointed out already. That's what I would suggest to a potential client in an initial consultation.
VoIP is *more* secure then your PSTN... with the PSTN any doofis with a butt-set can climb the pole outside your house... or worse yet go OUTSIDE your house and tap into your line.
With VoIP you have to actually be on the network.. and not just on the network.. but IN the packet stream.
Hacker A who is on a server off the switch can't listen to your conversation... they woudl have to interrupt the packet stream flowing through the router.
WTF mate! I found out my ex-wife was cheating on me by picking up the extension phone in the other room and listening to her talk to her boyfriend. With POTS, anyone with a $10 Walmart phone set and a set of alligator clips can open the phone box on the side of your house and listen to (or for a few dollars more record) your conversations. And anyone who understands Signalling System 7 can conference themselves into your calls through the phone company switch.
Calling VOIP insecure is by comparison like a nudist complaining that a woman's skirt is too short.
"Sic Semper Path of Least Resistance"
We work with a bunch of local phone vendors who always dictate that for site to site voip to be used, we need to setup a site to site VPN (or point to point circuit). It is my suspicion that they do this so that
1. they don't have to be bothered with trying to figure out what ports to forward on the firewall and
2. they have so much difficulty in troubleshooting their own systems that they love to blame everything on us.
In any event, I picked up the new o'reilly book on voip and they talk a lot about avoiding vpn as it creates lag. They also indicate that sending all of your QOS flagged traffic down a VPN tunnel eliminates the ability of the upstreams to "see" the QOS flags as they are encrypted. Anyone else have experience with this?
If you have physical access, you can do a lot. The problem otherwise with anything-over-IP is the potention that a kid in Russia can hack your connection while you are in Canada....
We all abuse the apostrophe, just by posting on Slashdot.
--
make install -not war
But anyone who completely abandons POTS at this point is jumping off the diving board with no idea of how deep the water is.
... but not me.
Oh, get a grip. I have Vonage and a cell phone. Maybe you're terrified enough to think that the triple-redundancy a POTS line would provide is worth the cost
Now, go wipe down your counters with your bleach-impregnated wet-wipies. The commercial said there are mi-cro-org-an-isms there, and they could make you sick!!!
Knucklehead.
Yes thanks to VOIP they have competition now, which you seem to think is a bad thing.
I didn't say competition was a bad thing. My point is that the playing field is skewed away from the POTS providers (who ironically have the more reliable and battle-hardened product).
You pay fees on your POTS line (the FCC line charge) to provide for number portability (amoungst other things) in the name of competition. Yet that POTS provider can't take numbers from the local cell carrier all the time. Whereas the cell carrier can always take a POTS number.
Furthermore they aren't held subject to the same regulations, the same surcharges (USF, FCC line charge or even local taxes) and they are allowed to advertise as if they have a bulletproof solution that completely replaces your home line.
What I want is a level playing field and the VoIP/celluar providers held to the same standards of reliablity and uptime. Until that happens I don't see my landline going anywhere.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
The way I see it, the biz model of bells is long gone. What should be happening is that we should pay a flat fee to call anywhere in the world, and telcos will have to use that fee to do maintenance on the lines, and stuff like that. VoIP is driving us there, it'd be a smart move of the bells to get there as well. They just have to understand that the pay-for-long-distance is not a valid biz model anymore.
Yeah because it's a lot more fair if Grandma down the road who only uses her phone to call her neighbor next door has to play a flat fee to subsidize your international phone calls. It's always a great pricing model to have everybody play a flat rate. 10% of the customers get to use 90% of the resources and pay the same as everybody else. Ever try to run a small town ISP with limited bandwidth resources in the post P2P world? Flat rate pricing is often times quite unfair to the majority of the customers and to the business owner.
Which isn't to say that there isn't a place for it sometimes. But why should I have to pay for your long distance phone calls if it's a service I rarely use?
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
This article http://acmqueue.com/modules.php?name=Content&pa=sh owpage&pid=209
covers the subject of VoIP security nicely
every stain tells a story
Cant we just stick to regular telephones? I dont want my 911 call to be interrupted by a denial of service attack...
Police arrive in time to arrest a suspect less than 3% of the time when 911 is called and a much smaller percentage of the time in order to actually stop a crime. Fire departments have a little bit better track record, but usually if you don't get out yourself, they aren't going to save you. Basically, don't overvalue the 911 system. It is not really very useful in most emergencies and the chances that it will be useful and you will be suffering a DoS attack at the same time are pretty damn slim. If an attack is directed at you to actually disable your 911 service how much easier is it to just cut your phone line?
Now I'm not saying that VoIP should not be regulated, I'm just saying that 911 service is not a priority for a lot of us. I think internet access as a whole should be regarded as a utility that should be made available and regulated across the nation.
Well, there aren't many technical differences between a local call and a long distance call. Yes, the number of switches involved in a long distance call may differ from the ones involved in a local call, but my point is that paying by the minute is stupid, no matter where you are calling. Metered calls is a biz model that no longer works. What is it exactly that one is paying when paying by the minute? power consumption on the switches?
I don't see why I have to pay by the minute on certain calls and why others are for a flat fee, other than a corporate move to subsidize the absurd burocracy they have to actually send you a bill.
In any case, many people think like you, and if you like paying for exactly what you use to avoid paying for what the other 10% is using, try moving to europe or south america, where you pay by the minute on ALL CALLS. If the call is considered a 'local' call, you get a lower rate/minute, but you still pay according to the time you use the line.
What I am trying to say is, why is there a distinction between local and long distance? Why can a celphone provider provide free flat access within their network and POTS can't?
You pay fees on your POTS line (the FCC line charge) to provide for number portability (amoungst other things) in the name of competition.
Yes, and then funny enough when I try to use that capability by wanting to transfer my number from ATT to Vonage then suddenly ATT is incapable of doing this and have been dragging their feet for 2 months already.
It has now reached the point where if ATT became the only phone supplier in the world then I would have to go back to snail mail. Idiots.
actually, i do pay an FCC charge on my VOIP service, & its still only a fraction of what my phone bill used to be.
How about we level the playing field by REDUCING the amount of regulations & such that the phone companies have to deal with. If they still want to provide this mythical rock-solid service (although my POTS service was anything but) the people who think its so all-important can pay extra for it.
I am perfectly happy with my VOIP which isnt rock-solid (although its MUCH more reliable than my landline ever was) Why shouldnt I have that choice?
When i was fighting with the phone co over the voicemail service i was slammed with, part of the reason they couldnt help me was because they were barred from doing so by heavy-handed regulation. They could not disconnect the service that had been attached to my bill, even though it was clearly fraudulent, even though i was very adamant that they remove it. I, as their customer, had no control over it & the service had to be terminated by the company who had slammed me. I'm sure you can imagine how eager that company was to comply (or even answer the phone) And so my only recourse was to have the telephone service terminated entirely.
Sure, level the playing field, but dont do it by transferring all the bloated regulations to other fields & ruining them as well.
Wheres the personal responsibility? Why have we all come to assume that the world stops turning if we pick up the phone & the dialtone isnt there? 911 IS NOT the matter of life & death that everyone seems to think it is. If you really want to be able to save your family from disaster, screw 911, learn CPR, and stop expecting the rest of the world to save your ass every time you get a boo-boo.
It is far easier to intercept the middle than you could ever believe (though, about 3 years ago, I would have agreed with you).
The real problem is that the man in the middle may handle the conversation in any way that they see fit. They can then place any set of words in your mouth (and the other parties). It becomes possible for various groups to total misdirect you or the other parties into certain directions. Interestingly enough, this can be used to provide for false convictions. And yes, this is very doable.
Think of somebody doctoring a photo. 7 years ago, it was hard to do, but it was doable. Now, it is trivial to do so. The same is true of VOIP.
VOIP security should have been designed in (with a clean policy/implementation seperation), but it is never too late to start.
I prefer the "u" in honour as it seems to be missing these days.
And so my only recourse was to have the telephone service terminated entirely.
Umm, I'm calling bullshit on that. Your recourse could have been to just stop paying for it. Your telephone company will not disconnect your service for failure to play an unrelated part of your bill. Hell, I can refuse to pay my long distance bill and they still can't disconnect my (local) service. Ditto for my DSL bill. These are the protections you have thanks to the regulations that you want to see abolished. Think you'll have an appeals process to your state public service commission when Vonage messes up your bill?
Wheres the personal responsibility? Why have we all come to assume that the world stops turning if we pick up the phone & the dialtone isnt there? 911 IS NOT the matter of life & death that everyone seems to think it is. If you really want to be able to save your family from disaster, screw 911, learn CPR, and stop expecting the rest of the world to save your ass every time you get a boo-boo.
You think the world doesn't stop if you pick up the phone and there's no dialtone? You think 911 is bullshit? What about the few hundred other arguments I could make about needing rock solid phone service. Do you have kids? What happens if there is an early dismissal from school or they get hurt? Think you might want your dialtone then? What happens if you get called into work but your boss gets a fast busy signal because the VoIP provider messed up... next thing you know you get fired.
911 isn't the only reason (though it is a big one) that I think phone service needs to be rock solid. Besides the minor little fact that it's a service that I'm paying good money for -- so I'd better have a dialtone when I pick up that phone.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
I don't see why I have to pay by the minute on certain calls and why others are for a flat fee, other than a corporate move to subsidize the absurd burocracy they have to actually send you a bill.
Actually I think it has more to do with the fact that if I call you and you are on the same central office as me then the call doesn't need to use any long distance lines. Typically the central office switches are 90% idle -- whereas the long distance trucks can hit 100% utilization at times.
Granted that's less of a problem these days and not all local calls are within the same CO -- but there was a basis for it. Furthermore a long distance call (even in this day and age) requires infrastructure and that infrastructure has to be paid for.
I still maintain that flat rate pricing isn't fair. I'm not going to debate the merits of charging per minute but it's simply stupid for somebody who makes two long distance calls a month to pay the same as somebody who makes several hundred.
Perhaps a more fair solution would be a per call charge. Verizon has "message rate" service where you pay a charge ($0.09 in my area) for each local call connected. As you pointed out once the switches have established the call that's the bulk of the work. I still think that flat rate pricing doesn't pay for most people and it's inherintly unfair.
What I am trying to say is, why is there a distinction between local and long distance? Why can a celphone provider provide free flat access within their network and POTS can't?
I've always been told by people in the industry that it has to do with the fact that most of them control a nationwide network and can deliver the call closer to it's destination on their own equipment (without relying on outsiders to transport it) then most POTS providers. But even so I've never seen a "free flat" cell phone. You just go from paying for long distance to paying for airtime. Even the cheapest plan (without enough minutes to order pizza) still costs more then most ghetto level POTS plans. That kind of proves my point about people who barely use it playing for people who live on it.
Lest you think I'm only picking on the telecommunications industry I could also point out that it's somewhat unfair for it to cost me the same amount of money to mail a letter to my girlfriend ($0.37) two blocks away as it costs to mail a letter to my aunt in Alaska (4,000 miles away - $0.37).
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
The key difference between traditional telephony and VoIP is the way the calls are handled across the network. Traditional POTS telephony uses circuit switched connections, meaning that an attacker needed physical access to some piece of copper along the called path to perform a man-in-the-middle attack. With IP communications it is possible for attackers to "touch" the path of the call from a remote location. http://ettercap.sourceforge.net/ Both methods are insecure and suffer from physical security issues. It's just that without proper network security the physical area of an IP network is easily extended and therefore susceptible to more attackers.
"Who could blame him [Phil Zimmerman] for laying low for a while after the Justice Department launched a three-year criminal investigation of him in 1993? Officials accused him of violating a ban on exporting cryptography when he made PGP available for download on the internet. The government finally dropped its investigation in 1996."
The Justice Department officials who "investigated" Zimmerman (persecuted him) set back the availability of privacy tech by at least half a decade, right when the Internet exploded into everyone's private and professional lives. They never found anything bad on Zimmerman, and crypto export restrictions were sensibly lifted in light of the extremely favorable cost:benefit to American economic security (the basis of all national security). But those officials, who did such damage, suffered no repercussions for their fruitless persecution of Zimmerman.
How long, after Zimmerman's VoIP privacy tech gets some buzz, will it take for some new Justice Department freak to target Zimmerman this time? With the context of "cyberterrorists", portrayed as "out of government reach" with Internet cryptophones, so easily saleable to the American public terrorized daily by government actions in the Terror War? Zimmerman's willingness to reenter that war, after being burned, shows that he's the kind of patriot that the government can only pretend to be when naming laws and missiles.
--
make install -not war
To be successful, it requires very good access to my ISP or the backbone carrier's network which is hard to do.
Actually it's trivial - by subverting the call setup negotiation. They don't even need to subvert the carrier's servers - replacing or inserting a SIP proxy via, for instance, DNS cache poisoning would do the job. With call setup corrupted the actual streams can be routed through any machines and paths they want.
Even if they can get that access all they can do is listen to my calls, have a chat with me and the other person or maybe hang up the call.
I take it you're OK with, say, a spook agency, police departnemt, business competitor, or foreign government agent recording all your conversations (and their endpoints) and feeding them through voice recognition algorithms to identify those of interest. Also with a phisher tapping your conversations with your bank and credit card company?
And with anybody with adequate tech carefully putting words in your mouth - but only as heard by the ear of the person you're talking to (or words apparently from THEIR mouth to YOUR ear)? Maybe your rival for the other person's affections? Or with a new COINTELPRO operation by the FBI convincing your Significant Other that you're cheating (as they did to a number of '60s/'70s activists)?
I could go on listing potential bad stuff all day. The more tech, the worse it gets.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
You convientently ignore the largest reason for 911 calls - health or injury related
For example, my son was choking, while I performed the Heimlich, my wife dialed 911. Emergency personel on site within 3 minutes. As it turned out just as they were walking in I cleared the obstruction. But it was good to know they were there and could respond quickly
Now imagine if you are home alone, and have a heart attack/stroke. You are able to dial 911, but not to communicate effectively.
Beleive me, there are plently of reasons why having POTS 911 is worth it.
Ha Ha Ha.
I make my living repairing the supposedly close to 100% reliable POTS system and, I must admit, I have a different opinion of the situation than you do.
I also disagree with regulation of VoIP service. Regulating the infrastructure is one thing, regulating a service that anyone with a computer and an internet connection can provide would be silly IMO. If you want reliability you will have to find a provider that promises it and pay accordingly. I don't think we need to create artificial barriers to entry via the government, particularly with a service that could be provided from outside of your government's jurisdiction anyway.
...Then create SSL VPN tunnels with OpenVPN (X509 PKI, TLS) between PBXs and enjoy.
It's amazing what good design can do to improve security.
"Oh you mean just setting up random SIP connections over the net is a bad idea?"
I care about security as much as the next guy but comparing POTS or even centrix security to VoIP is ridiculous. What about physical security that many have mentioned? I want to maintain 99.999 without having to worry about some jagoff with a backhoe whether he is driven by some virulent strain of Islam or is just a stupid ass. Much less a single leaky capacitor that has no backup system in place. So far it seems that even above ground, in my area, the ISPs have put more into redundant paths than the PSTN.
Hell, we ran into a single point of failure 120 miles away at a NOC on a cellular data network back haul router. Which took 6 hours to pinpoint by AT&T -> Sprint -> SBC -> Cingular -> AT&T/Cingular -> AT&T finger-pointing. At which point it was determined that the endpoint (AT&T GPRS private APN firewall router middleman) was flaky.... but they were totally able to loop up the T1 from the TELCO which proved there was no problem, bah!
The tech support were friendly but clueless and equipped with all the right info from the first minutes of the outage by myself...which WE detected 30 min after it happened through our own standard public safety system troubleshooting, and they were still totally unaware of it. Yeah 30 minutes is quite a lag time but consider I had to dial in from 3 towns away(26,400) after 10 minutes on the phone to verify dispatch wasn't just crazy. It took 10 minutes for them to notice the problem and qualify it for emergency service.
Yet a simple ISP with some nagios running would've found it faster but had dual paths to prevent (more than 30 seconds of) downtime. We intentionally took down our Internet link in an infrastructure replacement and the poor guy in the ISP NOC dug through outdated contact info for a while until he called his boss and eventually my cellphone to report the outage THAT'S SERVICE. He was actually concerned when he called too, could've been related to his boss but still. *I* had to calm *him* down, and there was definitely a sigh of relief on his end when I explained. I felt bad for not notifying him. He insisted I call back when we were done to verify connectivity. Where do you find that type of service?
TELCO didn't see the problem, or go to the trouble of calling us if they had. When we called them they were courteously-flippant and blamed us at every turn until they found they were wrong. Guilty until proved innocent is definitely their modus operandi.
Maybe my region is better, but I'm pretty much in Podunk. My vote is for VoIP. I realize that the cost is much more significant for the telco to do the same thing with available technology and infrastructure, that is my point exactly.
The author failed to mention that the Avaya SNMP community string can be changed using the "SNMPSTRING" parameter. Even though the MIBS are read-only, SNMP access can also be restricted to administered IP addresses using the "SNMPADD" parameter in the phone configuration file. For more information see the following: http://support.avaya.com/elmodocs2/4600/233507_2_1 .pdf