Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Is Security Holding VoIP Back?

michael posted more than 10 years ago | from the users-too-dumb-to-know-about-security dept.

Security 181

phoneboy writes "Voxilla is running a piece I wrote on security issues present in Voice over IP. While an increasing number of people are ditching their ILEC in favor of using Voice over IP from companies like Vonage, VoicePulse, Packet8, and Broadvox Direct, there are a number of potential security issues to be aware of. Is VoIP secure enough to replace the PSTN as we know it?"

cancel ×

181 comments

omg frist post bare pwnt all of you (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8553065)

GNAA / Google confirms: Linux is dying. GNAA / Google confirms: Linux is dying.
By GNAA Staff

Here you have it: it's official; Google confirms: Desktop Linux is dying.

Now, you might be thinking this is just another cut & paste troll based on the typical *BSD is dying bullshit.
It isn't.
As you might have know, your favorite search engine, Google [google.com] , has been running a little statistics service, called "Zeitgeist [google.com] ".
Since about a year ago, they started providing statistics of the operating systems used to access their search engine worldwide.
I will let the numbers speak for themselves:

Operating Systems Accessing Google in January 2002 [google.com]
Operating Systems Accessing Google in March 2002 [google.com]
Operating Systems Accessing Google in April 2002 [google.com]
Operating Systems Accessing Google in May 2002 [google.com]
Operating Systems Accessing Google in June 2002 [google.com]
Operating Systems Accessing Google in July 2002 [google.com]
Operating Systems Accessing Google in August 2002 [google.com]
Operating Systems Accessing Google in September 2002 [google.com]
Operating Systems Accessing Google in November 2002 [google.com]
Operating Systems Accessing Google in December 2002 [google.com]
Operating Systems Accessing Google in January 2003 [google.com]
Operating Systems Accessing Google in February 2003 [google.com]
Operating Systems Accessing Google in April 2003 [google.com]
Operating Systems Accessing Google in May 2003 [google.com]
Operating Systems Accessing Google in June 2003 [google.com]
Operating Systems Accessing Google in July 2003 [google.com]
Operating Systems Accessing Google in August 2003 [google.com]
Operating Systems Accessing Google in September 2003 [google.com]
Operating Systems Accessing Google in November 2003 [google.com]

If you've looked at even a few of these links, you don't need to be a Kreskin [amdest.com] to predict Desktop Linux's future. The hand writing is on the wall: Desktop Linux faces a bleak future. In fact there won't be any future at all for Linux on Desktop because Linux is dying. Things are looking very bad for Linux on Desktop. As many of us are already aware, Linux on Desktop continues to lose market share. Red ink flows like a river of blood.

According to Google Zeitgeist [google.com] , there are about 80% of Internet Explorer 6 [microsoft.com] users. The only platform supporting Internet Explorer 6 is, of course, Microsoft Windows. These statistics are consistent with the earlier presented graphs of the operating systems used to access Google, with the Windows family consistently taking the top 3 ranks. Out of remaining 20%, the split is even between MSIE 5.5, MSIE 5.0, both Windows-only browsers. Netscape 5.x (including Mozilla) counts for only a measly 5% of browsers used to access Google. As you can see from the graph, this sample was calculated starting from March 2001 until September 2003.

Linux "leaders" will have you believe that Linux is gaining market share. However, according to Google [google.com] , "Linux" was never a top 10 search word at *any time* since Google began tracking search statistics. This can only mean one thing: Linux is dying.

All major surveys show that Linux on Desktop is something never meant to happen. Repeatedly, reputable organizations review Desktop Linux offerings, and consistently [osnews.com] give [com.com] it [com.com] unacceptable [yahoo.com] scores, compared to even Apple [apple.com] 's MacOS X [apple.com] , which is actually based on the "claimed to by dying long time ago" *BSD. If you paid attention to the operating systems used to access Google graphs earlier, you will notice that MacOS has consistently scored higher percentages than Linux. Infact, the obscure "other" category, which we assume is embedded systems, PDA's, cellular phones, etc, has at times ranked Higher [google.com] than even Mac OS - and of course, Linux.

In almost 2 years worth of statistics, Linux [linux.com] has NEVER outranked even such a truly "dying" OS as Mac OS, and infact, never raised above the 1% mark. When Windows XP [microsoft.com] was released, Google searches for Linux drastically decreased [google.com] . This clearly demonstrates that Linux on Desktop is, for all practical purposes, dead.

Fact: Desktop Linux is dead.

This commentary brought to you by a proud GNAA member.

If you have mod points and would like to support GNAA, please moderate this post up.
By moderating this post as "Underrated", you cannot be Meta-Moderated! Please consider this.

________________________________________________
| ______________________________________._a,____ |
| _______a_._______a_______aj#0s_____aWY!400.___ |
| __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ |
| _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ |
| _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ |
| ________"#,___*@`__-N#____`___-!^_____________ |
| _________#1__________?________________________ |
| _________j1___________________________________ |
| ____a,___jk_GAY_NIGGER_ASSOCIATION_OF_AMERICA_ |
| ____!4yaa#l___________________________________ |
| ______-"!^____________________________________ |
` _______________________________________________'

The GNAA = JEWS (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8553099)

Why did the Jews wander in the desert for 40 years (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8553134)

Because one of them lost a quarter.

my dreams are killed (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8553066)

I had no fucking idea that 'Enthusiasm' chick was married! Lies, all lies.

Re:my dreams are killed (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8553110)

DON'T USE SO MANY CAPS. IT'S LIKE yelling.
Don't use so many caps. It's like YELLING.

As opposed to the security of PSTN? (4, Insightful)

bc90021 (43730) | more than 10 years ago | (#8553071)

Considering we've been using PSTN for about a hundred years, and we've had absolutely no security whatsoever, something based on IP should be better. There are workarounds, at least, for the lack of security in IP; there aren't as many (if any) for PSTN.

Re:As opposed to the security of PSTN? (3, Insightful)

Mysticalfruit (533341) | more than 10 years ago | (#8553158)

I would think that this would be a perfect situation for public/private key encryption.

When you connected to someones VOIP device, it would merely pass you their public key.

Re:As opposed to the security of PSTN? (5, Insightful)

ComputerSlicer23 (516509) | more than 10 years ago | (#8553298)

Ever heard of "man in the middle". Never trust a public key, just because it is public.

You should get signed keys, or keys directly from the person you want to be talking with. If the somebody wanted to break your security, all they have to do, is be upstream from your ISP. Capture the broadcast of the public key, send you a different one they have the private key for.

Now there are exchange methods that you can use in public, but just passing a key in the clear isn't a good idea. Normally there is some type of key exchange before hand, a trusted third party, or a web of trust used to establish identity, and the trustworthyness of a public key.

Kirby

Re:As opposed to the security of PSTN? (4, Interesting)

lussmu (638495) | more than 10 years ago | (#8553538)

Well, the problem is a bit more difficult than that. IPSec can be used with VoIP, but it isn't particularly efficient. There are special IPSec for VoIP specifications, so the problem isn't encryption, but the lack of certificates. Public key encryption is always vulnerable to man-in-the-middle attacks, be it SSH or SSL web traffic [sourceforge.net] .

I'm guessing this might hold VoIP back for a little while, but when VoIP will be deployed large-scale, we will for sure see people having personal certificates. Right now, a real non-test certificate from verisign for a company web server costs 895 $ [verisign.com] but I could see the prices going down for personal certificates, when markets for those would start to appear.

Or then there's the Finnish model, where you can get an electronic ID just like you can get a regular ID from the government. The electronic ID is the regular plastic ID card with a smart card chip. You get two certificates from the government-operated CA. All this for the measley price of 40 euros [fineid.fi] . This would be a viable choice for private persons too.

There is also a SIM card version (a WIM card) designed that will come out in the future.

Re:As opposed to the security of PSTN? (4, Funny)

firstadopter.com (745257) | more than 10 years ago | (#8553182)

Agreed, nothing is inherently secure as the FBI's new proposal for wiretapping comes out.

Re:As opposed to the security of PSTN? (2, Insightful)

iminplaya (723125) | more than 10 years ago | (#8553448)

Maybe that's the deal. VOIP is too secure for the FBI to allow to become widespread. Am I paranoid enough?

Re:As opposed to the security of PSTN? (1, Insightful)

Rick the Red (307103) | more than 10 years ago | (#8553547)

Am I paranoid enough?
As long as John Ashcroft and his ilk are in charge, you're not paranoid at all. They really are out to get us!

Re:As opposed to the security of PSTN? (3, Interesting)

robslimo (587196) | more than 10 years ago | (#8553257)

I agree. I also think the cost of POTS is still pretty cheap, especially so with today's low LD rates. Example: I live in Oklahoma and it's costs me $0.08/minute to talk to my in-laws in Beijing and $0.07/minute to talk to my sister in Minneapolis. Go figure.

There has to be a real economic incentive to a household or company to roll out new systems to implement VoIP. It ain't here yet, but it'll come.

-----------------
And now, for something completely off-topic:

As of 10:57:22 PST, the last contender(The Golem Group) went to status Disabled.

A total of 28 miles were collectively traversed, with no participants getting past the 7 mile mark.

Thank you all for participating; we hope to see you all back here in 2006 for another try.

The 2006 event should be a real treat as we'll have clowns, jugglers and dancing girls. We'll also be introducing a new competing class called "Autonomous Disabled Autonomous Vehicle Tranport." The race for this class will begin 1 hour after the start of the main competion.

Re:As opposed to the security of PSTN? (4, Insightful)

jayminer (692836) | more than 10 years ago | (#8553283)

IP security would be easy to provide using many of the decent implementations of IPSec, but the most important problem of VoIP is that it is vulnerable to any kind of DoS attack.

The PSTN/POTS service is also on a publicly switched network, but controlled by central authorities. However, noone will try a DoS attack by constantly ringing your phone and making it busy.

Re:As opposed to the security of PSTN? (4, Interesting)

hikerhat (678157) | more than 10 years ago | (#8553286)

Well, you can't send an html email to a phone that tricks the user to click a link that installs a trojan that records all your phone calls and uploads them to an IRC chat room at midnight, all without leaving your parents basement. So even though there is no security on current phones, it takes a bit more effort to listen in on their calls. The minimal physical ability required to climb the phone poll rules out most chee-toe eating script kiddies from tapping your phone line.

Um (4, Interesting)

headbulb (534102) | more than 10 years ago | (#8553374)

You try getting a trunk that has SS7. Oh wait you can't.

You say that you the pstn is insecure.. Have you tried lately to 'hack' into one, well besides being able to listen to whats on a analog line. Tell me how a cellphone is insecure (They have encryption and cdma is pretty secure by itself.), or how a isdn line is insecure.. Those are circuit based networks. (well cellphones are a hybrid)

Tell me how would you go about overhearing a circuit in this circuit based network? You can't. The fbi can, But that hardly makes it insecure. Circuit based networks by their very nature are actually highly secure networks. The only person you really have to worry about is the one in control of the line, if you dont' trust them you go with someone else and use encryption..

Now packet based networks are the ones you really should be worried about. Anyone that is on your network segment can sniff your packets. Now if they are encrypted or not is really kinda beside the point.

The modern ptsn network has out of band signaling (ss7) So you can't do alot of the attacks that the old phone networks were vurnable to. LIke playing your own tones (inband signaling.) So tell me again why a circuit based network out of band signaling is insecure?. (oh you can't get into the out of band signalling other then to dial and thats with isdn which uses isup for its out of band. Which is really limited and firewalled {for lack of a better term at the moment} the switch)

Re:Um (0)

noselasd (594905) | more than 10 years ago | (#8553504)

>You say that you the pstn is insecure.. Have you tried lately to
>'hack' into one, well besides being able to listen to whats on a

Yes I have, it's rather hard, but finding the right cable, and
using the right software/hardware it's doable.

>analog line. Tell me how a cellphone is insecure (They have
>encryption and cdma is pretty secure by itself.), or how a isdn line
>is insecure.. Those are circuit based networks. (well cellphones are
>a hybrid)

True, but thats often just from the cellphone up to the antenna.(or sometimes a bit further..).
Once the voice is on cables, it's "decrypted"(not always though, but very common.

>Tell me how would you go about overhearing a circuit in this circuit
>based network? You can't. The fbi can, But that hardly makes it

You dig up a cable, its often 2mbit coax cables or fibre. You hook
on a splitter to get the signals. Feed them to a hardware card
on your PC, pick up an appropriate timeslot there, pass it throug a
decoder(e.g. G.711) and onto your soundcard.
I do this for work.. well not so much digging up cables, but making
software that can simulate e.g. a SS7 switch. It could among other things do the above.

>insecure. Circuit based networks by their very nature are actually
>highly secure networks. The only person you really have to worry
>about is the one in control of the line, if you dont' trust them you
>go with someone else and use encryption..

Its only secure cause its rather hard for the common man to do it.

Re:Um (1)

Gortbusters.org (637314) | more than 10 years ago | (#8553686)

The FBI can because telecomm equipment vendors are required to keep that functionality in.

Re:As opposed to the security of PSTN? (0)

Anonymous Coward | more than 10 years ago | (#8553513)

Amen to that - PSTN was never secure. VoIP can be MUCH more secure. Starting with the ability to control who calls you, where they come from, and whether or not they are impersonating someone else. Even PSTN CallerID is trivially spoofable. What privacy? Get OE. Start with encrypting everything - check out http://www.ietf.org/internet-drafts/draft-richards on-ipsec-opportunistic-13.txt [ietf.org] and http://www.freeswan.org/freeswan_trees/freeswan-2. 05/doc/quickstart.html [freeswan.org] A future revision will explain how to do it through NATs. What? Your VoIP box doesn't support OE? Tell your vendor to fix it, or put it behind a Linux firewall.

Re:As opposed to the security of PSTN? (1)

SatanicPuppy (611928) | more than 10 years ago | (#8553740)

Well, except for the fact that PSTN is based on hardware which is, by and large, too stupid to hack, whereas VOIP is pre-eminently and provably hackable.

Anyone remember the little scandal thing last year where someone was hacking cell phones that had public IP addresses? I think they definitely need to work on some encryption for VOIP. Everything I've seen with it to date has run with PTP tunneling because of the lack of security, and you could tell, bandwidth-wise.

Security? Not a problem for home users (5, Insightful)

Anonymous Coward | more than 10 years ago | (#8553076)

Just look at how many unsecured wireless networks are out there. And most cordless phone users had no problem speaking of easily listenable frequencies for many years.

Re:Security? Not a problem for home users (1)

ArielMT (757715) | more than 10 years ago | (#8553349)

So the guys over at WarChalking [warchalking.org] aren't wasting their time after all? It's a good thing I don't give out my email address or order things by credit card except with my cordless non-Interweb-emabled phone. Ah goody, Microsoft really does care about my computer's security, because they just sent me another patch as an attachment to one of their spiffy emails. Excuse me while I go run the patch... stupid antivirus warnings...

*snicker* Since when did security hold any technology back?

"There's a sucker born every minute." [historybuff.com] In the grander scheme of things, that's so true.

VoIP concerns are big in Gov't Agencies (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8553079)

***Here are some of the imdb.com reviews for "Gay Niggers From Outer Space":

Summary: The best homosexual racial minority sci-fi film ever.

"Morten Lindbergs classic cult short, Gay Niggers From Outer Space is one of
the first short films to really stick to what the title suggests. From the
time the first gay nigger walked onto the screen up until the final intense
climax with the Tourette's Syndrome Kingdom in Outer Space, it's filled with
dark comedy, action and plenty of suspense. "

"Gay Niggers from Outer Space is a masterpiece of a film. No other film
portraits emotions as majestically and stunningly since The Legend of Nigger
Charley and Home Alone II. With a cast of all-star African niggers and a
director with Kubrick potential, it is no wonder that Gay Niggers from Outer
Space is marked the greatest film of all time."

"From the very first scene where Gay Nigger Harris throws up on his own face
and commits suicide, to the climactic scene where Nigger Ralph Nader and
Nigger Humphrey Bogart fight over the last hashbrown and pick cotton til
their noses bleed, Gay Niggers from Outer Space is the most magical
portrayal of gay niggers open to the public."

***However, no mention is made of the hazadous lifestyle of gay niggers,
so the following is an attempt to explain those hazards in layman's terms:

Despite cries to the contrary in the media, AIDS is still primarily a gay
and black disease. The media loves to report the "growing epidemic" among
whites, when in fact the rate of infection among heterosexual whites is
dropping off significantly year by year. The media though, reports only the
TOTAL current infection rate, not the RELATIVE. So while there are more
cases each year, the RATE of infection is dropping quickly. Except for the
gay/nigger communities, where it's skyrocketing.

Why does AIDS seem to target gays and niggers so much more so than whites
and straights? Anal sex. The anus was not designed to accommodate vigorous
penetration as occurs in anal sex. Unlike the vagina, the anus has very
delicate membranes, which damage easily. Couple that with the fact that
sperm contains immune system suppressing chemicals. That's why the sperm is
not treated as a foreign protein in the vagina...because of the immune
suppressing effects of the sperm cells. Without this effect, pregnancy
could not occur, as the sperm would be attacked as a foreign protein.

In the anus, sperm has the same immune suppressing effect. During anal sex,
the anal wall is torn and open lesions form. Because there is little if any
sensory nerve endings in the anus, this damage often goes unnoticed. The
sperm then induce their immune suppressing effect, and the stage is set.
Various bacteria both beneficial and infectious dwell in the colon, as well
as viral matter. When the anus is ripped open, exposing the blood to the
immune suppressing chemicals in the sperm, and the viral matter passed
along with it, infection is virtually assured.

***So does the skyrocketing rate of AIDS infection mean that there are
skyrocketing rates of gay niggers???

***Not exactly, because most White people don't realize that a large
percentage of nigger males are bisexual. It's a great irony considering all
of their macho posturing and affectations. They tend to admire the male
physique, and when no women are present, they will hip-hop dance with each
other. Any port in a storm will do, because da' brotha's just gots ta
have it!!! Then they pass along the virus to their wives, girlfriends, and
family members.

***Here is a story about this phenomenon from "The Village Voice":

http://www.villagevoice.com/issues/0123/wright.p hp

And for the Toronto Gay Niggers:

http://www.nowtoronto.com/issues/2001-08-16/news _s tory_p.html

Hey Assholes (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8553080)

WELCOME, ASSHOLE!

Since you are reading this you have either come to see how to join or received your membership induction notification and come to see what th'hell you're being called. Either way, we know that you're one of us!

WTF Are We?
The International Association of Assholes is a membership organization to permit all Assholes everywhere to proudly proclaim their status as Assholes, and the degree by which they are recognized as such by other Assholes. It also provides a convenient method by which all member Assholes may inform other Assholes in the world that they have been formally recognized for what they are...and a means by which we can make a quick buck by simply being ourselves.

Each newly inducted Asshole receives an email from us announcing the great honour that has been bestowed and the Asshole (w/email or snail address thereof) who has sponsored this blessed event. Upon receipt of each Registered Asshole's snail address we send a really cool certificate on heavy stock printed with Old English type and bearing the Registered Asshole's name (and title c org, if given) - suitable for framing. A walletcard is sent for the next level of membership.

We obviously can't show the card and certificates that we issue, to keep you Assholes from just making copies and doing your own. Otherwise, the cost isn't worth your time to make one, because it just costs $10 US to sponsor an Asshole to membership w/Certificate and another $10 US to get a walletcard ($20 for both).

Important Stuff (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8553083)

Please try to keep posts on topic.
Try to reply to other people's comments instead of starting new threads.
Read other people's messages before posting your own to avoid simply duplicating what has already been said.
Use a clear subject that describes what your message is about.
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
If you want replies to your comments sent to you, consider logging in or creating an account.
Problems regarding accounts or comment posting should be sent to CowboyNeal.

PSTN? Secure? (5, Insightful)

Heartz (562803) | more than 10 years ago | (#8553096)

Whoever said PSTN was secure? All you need to sniff is a wire and the right equipment. And it's easy to do.

Intrusion Security (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8553107)

In the anus, sperm has the same immune suppressing effect. During anal sex,
the anal wall is torn and open lesions form. Because there is little if any
sensory nerve endings in the anus, this damage often goes unnoticed. The
sperm then induce their immune suppressing effect, and the stage is set.
Various bacteria both beneficial and infectious dwell in the colon, as well
as viral matter. When the anus is ripped open, exposing the blood to the
immune suppressing chemicals in the sperm, and the viral matter passed
along with it, infection is virtually assured.

Re:PSTN? Secure? (1)

vrmlknight (309019) | more than 10 years ago | (#8553109)

really all you need is a phone handset and a few alligator clips, and that's getting complex..

Re:PSTN? Secure? (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8553124)

can i put those alligator clips on my nipples?
btw, my name is natalie portman and i have sizzling hot grits slithering down underneath my panties and over my warm, moist, sweet pussy.

Re:PSTN? Secure? (1)

javajawa (126489) | more than 10 years ago | (#8553156)

Of course, traditional wire sniffing requires physical access, whereas VoIP sniffing merely requires virtual access.

Re:PSTN? Secure? (2, Insightful)

vrmlknight (309019) | more than 10 years ago | (#8553209)

Sniffing VoIP traffic still requires some physical access, you need to be able to intercept the packets either be on a router in-between the points or have root'ed a box in between them, or in the case of wireless be physically close to them and have a week or so to crack what ever encryption they are running on the wireless network...

I don't wnat VoIP (5, Insightful)

Anonymous Coward | more than 10 years ago | (#8553104)

I don't want VoIP. Depending on the Internet for all communications (e-mail, IM, and phone) is just a bad idea.

Re:I don't wnat VoIP (3, Funny)

Phekko (619272) | more than 10 years ago | (#8553122)

Agreed. That's why there should be Slashdot via carrier pigeons, dammit!

Re:I don't wnat VoIP (0)

Anonymous Coward | more than 10 years ago | (#8553143)

what is it, really?
damn it? damnit? dammit?

Re:I don't wnat VoIP (1)

firstadopter.com (745257) | more than 10 years ago | (#8553148)

Why is depending on the internet for communications a bad idea? It's fault tolerant, a lot of back up ways. On the other hand other systems, just go down and you're stuck.

Re:I don't wnat VoIP (0)

Anonymous Coward | more than 10 years ago | (#8553208)

Take Slammer. It managed to slow the Internet to a point where it became unusable. It's only a matter of time before more Slammer-like worms come, only instead of targetting desktops they target the Internet itself.

Luckily I'm old fashioned (0)

Anonymous Coward | more than 10 years ago | (#8553465)

I grew up (long time ago) in an environment where phone and postal services were sporadic, I also lived for 2 years in an apartment with no phone, and backpacked for months with little access to phones and mail. So I'm used to losing my communication lines periodically. I don't freak out if I don't have a phone.

For the past year, I've had no landline, I have a a cable modem and cheapo voip (and an even cheaper pager). Around here, the cable modem goes out quite rarely so internet's usually not a problem. But the voip doesn't work half the time, and I don't care: it works the other half of the time. At worst, there's the pay phone around the block, or the neighbor's phone/voip.

You ask, what about 911, what about disasters? When there is a major problem and the power and the internet's out, the neighborhood gets together and helps out, no sweat (they can call for me, drive me to get help, etc). That's not even remotely a problem (although I have called the police through voip before).

So yeah, luckily I grew up so far in the past I'm not afraid to use modern technology. :=P

Just do what I do (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8553115)

Never have anything interesting to talk about. Ten minutes of discussion on rectal bleeding ought to get rid of snoopers.

Security isn't the problem. (5, Insightful)

danitor (600348) | more than 10 years ago | (#8553117)

As usual, Michael's title is misleading.

Security is not holding VOIP back.

Security is just one layer that needs to be implemented, particularly when VOIP becomes more widespread. It has very little to do with adoption- just look at how analog cellphones prospered. We all know how easy those were to listen to.

Re:Security isn't the problem. (2, Insightful)

phoneboy (11009) | more than 10 years ago | (#8553310)

The title of the news story is the title of the article on Voxilla. If you disagree with the premise of the article, fair enough, but don't attack Michael over it. He wasn't responsible for choosing it -- I was.

-- PhoneBoy

Re:Security isn't the problem. (0)

Anonymous Coward | more than 10 years ago | (#8553461)

but don't attack Michael over it
Exactly, much more appropriate to attack him over the fact that he is squatting [sethf.com] on the censorware.org domain, using it to further a personal grudge match, rather than giving it back to the Censorware project who are trying to fight Internet censorship.

Obviously Michael's personal feuds are more important than fighting online censorship. Good to know where his priorities lie.

ps. If you are reading this it is probably because Michael hasn't spotted it yet, since in a further act of breathtaking hypocrisy, he is known to use his editor status to censor any attempts to bring the wider /. readership's attention to this shameful act.

Re:Security isn't the problem. (-1)

Seth Finklestein (582901) | more than 10 years ago | (#8553515)

For more information on Michael Sims' information atrocities, please click here [sethf.com] to read some very informative articles.

Re:Security isn't the problem. (0)

Anonymous Coward | more than 10 years ago | (#8553568)

One satisfying result of this is that if you search Google for "Michael Sims" almost all of the results pertaining to him are people criticizing him - I doubt he gets much pleasure from ego-surfing ;)

Re:Security isn't the problem. (1)

Gortbusters.org (637314) | more than 10 years ago | (#8553700)

True that, there's enough good security stuff out there like media encryption (take a look at the H.323 phones from Avaya and Avaya's Communication Manager product), though I think Cisco followed suit and added it. The main problem with adopting voice is that many networks are not setup for voice. Everything from at least a 100MB back bone to VLANs is required to get good quality of service in VOIP, and even then things can happen that require you to tune the network.

Re:Security isn't the problem - False (0)

Anonymous Coward | more than 10 years ago | (#8553704)

Security is not holding VOIP back.


False

The exact topic of interest was security in a VOIP discussion recently on a mailing list. The lack of an end to end security solution (ssh/ssl/?) with Vonage agent-in-the-middle snooping possible is the exact problem.

Had this not been the problem, we would have been one of the first customers of Vonage, and would have had multiple locations set up first with those Vonage/Linksys appliances, and later with something more robust as we looked into it further.

Security of calls is the most important thing to consider when considering voice service. Even before quality. You can spend a penny a call, or a buck a call, and it doesn't matter which if the security is not there because when someone gets a hold of information from one of your bank/business/insurance accounts, then the game is up. Think whole life insurance with a couple hundred grand in cash value, not car or house insurance. Or a deposit account for a construction company. One penetration, and you will lose a 100 years of phone bills.

You'll understand what I'm talking about after high school and college.

just look at how analog cellphones prospered. We all know how easy those were to listen to.


This shows your age. Even more so than my initial misreading of the line as analog cordless phones instead of analog cellphones.

When analog cellphones came out (I won't start with the very first ones) they were about $700 a piece, and $5 a minute. The only ones using them were doctors, stockbrokers, drug dealers, and a select few others with the company connections or money to waste on them. While it was common knowledge among hams and cd radio fans that you could pick up the conversations with scanners, it wasn't well known among the actual users how easy it was. I knew a few users back then and warned them, and they dismissed my concerns.

Back then, a scanner capable of picking up analog cell phones (without modifying a cheaper version) cost $299. And you could pick up not only analog cell calls, but marine bands as well. Quite a few times I heard ship to shore calls being placed to a shore operator that required the guy on the boat to read his credit card details over the air to pay for the call. Of course, when I heard such calls, I changed frequencies immediately. I was interested in what fish were running where, and who was catching what, and where, not credit card conversations.

One difference then was that the number of scanners were limited (my scanner was the first one sold at a busy electronics store in close to a year at that time). Another difference was the threat of heavy jail time for intercepting the calls. There were regular announcements of busts for intercepting the calls, but the announcements for cloning the phones later far outnumbered the ability to listen in.

The only reason that listening in on analog calls was brought to people's attention was that the cellular companies had paid billions for digital spectrum, and wanted to move everyone off analog. So the scare stories started streaming out regularly after that.

How in the hell you got modded up to a 5, especially after someone else corrected your mistake on the title is beyond me. You must have a lot of alternate ids and mod points on them. I can't see any other way.

Landline isn't technically secure either. (4, Insightful)

Anonymous Coward | more than 10 years ago | (#8553120)

Nobody said landlines were particularly secure either. Anyone can tap a phone line or phone box for that matter and listen in on your conversations. There's few encrypted landlines around. It's also easy to listen in on cellular or wireless handsets with relatively inexpensive equipment. So for security, neither are very. If you want security you need fiber optic (VoIP or not) that measures light passing through the fiber and can detect if some of it is being diverted to listen in. Only the military and the Illuminati needs something like that.

What landlines ARE, though, are more reliable. I don't want to have my VoIP phone crash on me or have packet loss when I'm trying to call 911 because of a heart attack. You don't get two chances at that to call again, reboot, or whatever.

I see it like this (4, Informative)

barenaked (711701) | more than 10 years ago | (#8553121)

Today's Firewalls dynamically open and close multiple ports as required by VoIP signaling protocols such as SIP, they remain ineffective in securely supporting unsolicited incoming connections. NAT prevents two way voice and multimedia communication, because the private addresses and ports inserted by the client devices (SIP phones, video conferencing etc.) in the packet payload are unable to be routed in public networks. Therefore, incoming calls that are in any service intended to replace the PSTN just are not possible with todays existing NAT/Firewalls.

Re:I see it like this (2, Interesting)

NTmatter (589153) | more than 10 years ago | (#8553584)

I'd say the problem isn't really the NAT/Firewalls - it's just the NAT that's a hindrance to bidirectional communication. It's simply impossible to create a connection to something behind a NAT box when you only have one IP to work with.

The best analogy to work with would be calling a large department store, wanting to talk to the clothing department, but being confronted by a receptionist or an automated machine telling you to "Enter the extension of the department you would like to dial." This is sadly impossible in the context of VoIP without having a server on the NAT box, or a hack in the NAT's rules that is capable of inquiring which "extension" to forward the call to. While this is plausible, it also raises the problem of exactly how to standardize the process. Too many people have an interest in VoIP for any sort of final standard to be released.

The only practical solution, in this case, (at least from a networking standpoint) is to eliminate NAT altogether. Fortunately, such a solution already exists. Its name is IPv6. If everyone can have their own globally routable IP address (and thus a globally unique iPhone#), then there would be no compelling need for NAT outside of obscure load-balancing setups.

Sadly, the switch to IPv6 brings its own set of problems. Namely, the Telcos and government, who have been fighting for the taxation of the internet and internet telephony services, or at least their providers. IPv6 + VoIP will eat into the profits of Telcos once they start becoming widespread. Why pay a perfectly reasonable 10 cents a minute for long distance, when you can pay $30/month (or however much internet access costs you) for unlimited calls to anywhere in the world.

As for roaming, there's no real problem in having a bit of software on your VoIP box that forwards your calls to a VoIP mobile phone sitting on some wireless network out at the office, as long as there's a way to let the VoIP box know the correct IP to transparently route calls to. Think of it as call forwarding for networks.

So, there's no real problem with the replacement of PSTN, aside from the IPv6 transition, whose problems have already been beaten to death on Slashdot in the past. If only we could get corporations to just shut up and die when they become obsolete for the greater public good, life would be so much easier, wouldn't it?

DISCLAIMER: The author will not be held responsible for any negative aftereffects that may or may not result from the usage of this opinion as fact.

SIP (2, Informative)

Servo (9177) | more than 10 years ago | (#8553745)

I use Vonage (SIP Phone) on my nat/firewall connection at home, and it works perfectly fine. I'm not sure if you are aware how these technologies work at all...

Marketing and Brand (4, Insightful)

firstadopter.com (745257) | more than 10 years ago | (#8553126)

I think the main thing holding VOIP back is the Baby Bells, who have a lot to lose if they keep pushing it. SO it's up to the startups like Vonage to publicize the benefits and the low cost. Unfortunately that will take a LONG time as people just don't know about it.

Re:Marketing and Brand (2, Insightful)

phoneboy (11009) | more than 10 years ago | (#8553354)

I think the Baby Bells have a lot to gain if they start implementing VoIP instead of burying their head in the sand and trying to fight it.

-- PhoneBoy

Re:Marketing and Brand (1)

Deliveranc3 (629997) | more than 10 years ago | (#8553420)

Napster didn't need marketting. The product isn't ready for mass market, when I build a house I still have to install old phone lines. That's crap, it's just not ready yet. Backwards compatability is one of the major problems and the other is ease of use.

Despite this I think they are fairly standardized now and the quality is excellent.

If someone offered a service which would patch the data from a phone # to an I.P. then I'd use it in a second.

secure? (5, Funny)

loraksus (171574) | more than 10 years ago | (#8553136)

like PSTN 2 aligator clips and a regular handset secure?
Hell, when I *ahem* hung around people who beiged boxed we didn't even have aligator clips. Holding onto the wires was cool until a the phone rang ;)

Eh? (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#8553149)

PSTN is secure?

insecure network - insecure services (4, Insightful)

UnderAttack (311872) | more than 10 years ago | (#8553193)

regular phone service is secure (and does not need encryption) since the network it is using is considered secure. Climping up on phone poles is not only a lot of work, but gets you easily arrested as well.

On the internet on the other hand, you can take your pick of about 500k ready to use backdoored hosts at any day. Just pick one close enough to your target. If you are desperate, buy one of the routers in the path on IRC for a few stolen CC numbers.

What we need is a simple and fast encryption method for VoIP. Similar to the phone network, it doesn't have to be 'Fed prove'. This may make it possible to come up with something simple that will not cause excessive latency.

Of course, one issue with VoIP is that its kind of stretching the limits of current infrastructure. So any added overhead may break it.

Re:insecure network - insecure services (3, Informative)

alexatrit (689331) | more than 10 years ago | (#8553221)

Why climb up the pole at all, when many residential subscriber blocks are mounted on the front of people's homes? Most of these units are unlocked. Merely open the door, insert a splitter from Radio Shack, and off you go.

Re:insecure network - insecure services (2, Informative)

c_g_hills (110430) | more than 10 years ago | (#8553322)

What we need is a simple and fast encryption method for VoIP.

IPv6 supports encryption natively. Running voice-over-ip using version 6 is another great reason to make the upgrade.

Re:insecure network - insecure services (1)

emf (68407) | more than 10 years ago | (#8553367)

I would say the opposite, regulare phone service is very unsecure. Tapping your phone line is very easy if you know what you're doing. There are various places between the CO and your phone which can serve as easy locations to tap your line. For example if we lived in the same apartment building and your apartment was directly above mine. Your phone line may actually be running through my unit. It doesn't get any easier than that to tap it.

I've never used VoIP, but I would think that if you and I decided to have a VoIP conversation we could easilly encrypt the communications from each others computers (i.e. IPSec, or some encrypted tunnel if the application won't support it). Our IP traffic will not only be much more difficult to tap than POTS, but even if it is tapped it then becomes very difficult if not impossible to break the encryption.

Re:insecure network - insecure services (1)

Jameth (664111) | more than 10 years ago | (#8553425)

The issue is mostly that you need to physically tap the line. This will, at the least, demonstrate that you are tapping a line. Also, you need to be relatively immediately colocated to tap a phone line.

VoIP can, however, be easily tapped from a distance without and physical evidence.

Re:insecure network - insecure services (1)

Gortbusters.org (637314) | more than 10 years ago | (#8553714)

Take a look at this presentation [avaya.com] from Avaya (formerly the part of Lucent / AT&T that did all of the PBX/phones), they now have media encryption.

Crappy service is holding VOIP back (2, Funny)

bhny (97647) | more than 10 years ago | (#8553215)

I've had a ridiculous number of problems with Vonage, never any worries about security.

Re:Crappy service is holding VOIP back (2, Informative)

dr3vil (604180) | more than 10 years ago | (#8553282)

Really? I've been using Vonage quite happily for over a year now. Great quality, uptime, service. Althpugh I haven't ditched Ma Bell yet (she provides my DSL service, and my grandfathered-in static ip address would be sorely missed).

Re:Crappy service is holding VOIP back (2, Informative)

azuretek (708981) | more than 10 years ago | (#8553763)

I've been using vonage for about a year and I havent had hardly any problems (no more than I did with a regular land line)

I ditched my land line about 2 months after I got my vonage, I haven't looked back since. I moved accross country and I brought it along and still no problems. I'd bet alot of the problems people have had are on their own end and their cable company (my company told me they didn't have to support any service as long as I could view web pages)

Theres a few things I don't like about viop (3, Interesting)

headbulb (534102) | more than 10 years ago | (#8553216)

First and this one goes for cell phones too.

With most voip app's they just shutoff the microphone when the person isn't talking. This produces an weird silence. Cell phones have to do the same thing to conserver power but what they do is, Place confort noise. This keeps the person thinking that the call is still going. (This is what really turns me off about VOIP)

Another beef I have with voip.. NOthing seems to be standerdised. One voip app does not work with another.

I just think its not the correct way of going about creating a network that is designed to be directly connected. The network that pstn is based on has a niche. Where else are you doing to get a virtual connection without having to bury your own lines to every office. (forgot the terms at moment)

It's extremly hard to talk to someone when A. You have a delay. B. You have missing packets that interupt the signal, Thus you get dropouts.

Now I do like voip in games.. That confort noise I was talking about, Is now takin over by the sound the game makes, and so the silence inbetween isn't so weird.

I have heard about sprint doing voip networks with their own network to get around the ping/packetloss/QOS that is not a garantee on public networks. But I view it as if They want to have a packet based voice network they need to design it from the groundup to just work instead of just layering it ontop of IP. They then need to submit this to the standerd association, So that phone companys don't have to convert/recompress and signal with eath in and out on the network. Otherwords a more lossless operation.

Well thats my beef.

Re:Theres a few things I don't like about viop (0)

Anonymous Coward | more than 10 years ago | (#8553314)


Another beef I have with voip.. NOthing seems to be standerdised. One voip app does not work with another.


Welcome to the world of VoIP with SIP, where all the building blocks to build the services are standardized (for some value of standardized), but the services themselves are not -- they are left up to the intelligent endpoints (for some definition of intelligent) to work out, if they can.

Re:Theres a few things I don't like about viop (0)

Anonymous Coward | more than 10 years ago | (#8553440)

With most voip app's they just shutoff the microphone when the person isn't talking. This produces an weird silence. Cell phones have to do the same thing to conserver power but what they do is, Place confort noise. This keeps the person thinking that the call is still going. (This is what really turns me off about VOIP)

There is possibility of a silence noise generation in some VoIP codecs - check your device features first! Moreover, VoIP can use GSM cellphone codec too and be absolutely transparent.

Re:Theres a few things I don't like about viop (1)

bcrowell (177657) | more than 10 years ago | (#8553590)

It sounds like your information is out of date.

With most voip app's they just shutoff the microphone when the person isn't talking. This produces an weird silence.
I use Vonage now, and what you're describing doesn't happen.

Another beef I have with voip.. NOthing seems to be standerdised. One voip app does not work with another.
I don't know anyone who uses PC software for internet telephony these days. The companies they're talking about in the article sell you a black box that you plug a regular phone into. No computer needed.

Is Security Holding VoIP Back? (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8553253)

"Is Security Holding VoIP Back?"

God damn! That stinking "security" again!! Let's
just get rid of the fscking word and use VoIP, and netbus for remote administration..

Which way are we going? (3, Interesting)

amigoro (761348) | more than 10 years ago | (#8553254)

On the one hand, we want to use IP for our voice communications. On the other, we want to use our mobile phone for surfing the web (and installing Linux [mithuro.com] but that's another story).

So which way are we headed?

It's quite ironic that the internet spread as rapidly as it did because people were able to use internet over dialup, and today, the discussion is about how to replace the existing PSTN architecture with VoIP.

However, I think sooner, or later, people will make ALL there phone calls using internet enabled mobile phones. So what protocol are they going to use? Or is it going to be a mix of protocols, say, if a Canadian were to talk to a friend in Australia?

Security... sort of (2, Informative)

mental_telepathy (564156) | more than 10 years ago | (#8553261)

one interesting (related) note, is that security is holding back voice over wireless. Not directly because of security concerns, but because of speed. The time to authenticate from AP to AP is causing QOS issues with the voice communications.

The question is..... (3, Insightful)

invisik (227250) | more than 10 years ago | (#8553293)

..is the internet ready for the mass migration from PSTN?

With all the lag and overloading on the internet, is it really ready to handle a jillion voice streams running over it with the expectation of quality and reliability of PSTN?

As a geek type, I'd love to see it come together to widescale use. But as a business type, it seems to unreliable for official use yet. Most businesses can tolerate their internet connection being down for a period of time, but I don't know any business who can tolerate a phone outage short of sending everyone home.

-m

Re:The question is..... (1)

bcrowell (177657) | more than 10 years ago | (#8553742)

..is the internet ready for the mass migration from PSTN?

With all the lag and overloading on the internet, is it really ready to handle a jillion voice streams running over it with the expectation of quality and reliability of PSTN?

When you make a long distance call, you probably visualize it going through copper wire to the local telco, and then crossing the continent as an analog signal on fiber optic cables. Actually, the chances are very good that at some point in its journey, your signal is passing through the internet. Phone service and the internet are technologies that have really already converged. Long distance providers and internet backbone providers all sell each other bandwidth as needed. When people refer to "VOIP" or "internet telephony," it's really a misleading use of the terminology, because Grandma in Omaha probably uses VOIP without knowing it every time she makes a long distance call through Sprint.

the problem is not VOIP phone (0)

Anonymous Coward | more than 10 years ago | (#8553304)

The problem is most of us still can't get DSL or cable to our home even if we're in silly con valley.

Infrastructure not security is holding it back (2, Interesting)

jobugeek (466084) | more than 10 years ago | (#8553328)

The whole point of VOIP is not having two separate lines. But when we looked at doing at our company, the undertaking to prepare the data network(upgrading cabling, tweaking or turning on QOS on routers, etc) it became more work than what VOIP was advertised to solved.

And truthfully, many companies I talked to who converted to it haven't been all that thrilled with the results so far. It's either been flaky or was so expensive that it didn't justice the cost.

Re:Infrastructure not security is holding it back (1)

gnu-generation-one (717590) | more than 10 years ago | (#8553780)

"And truthfully, many companies I talked to who converted to it haven't been all that thrilled with the results so far."

Like dropping phone calls when the network gets busy? Too right it's not a good result. And try debugging phone problems when they're being caused by someone running a game on the network with intermittant IP traffic.

PGP Phone (2, Interesting)

hikerhat (678157) | more than 10 years ago | (#8553341)

Too bad PGP phone [mit.edu] never took off.

Bull! (1, Interesting)

Anonymous Coward | more than 10 years ago | (#8553344)

voip -- blowfish -- { internet } -- blowfish -- voip
Someone implement a cheap box that lets you plug a normal phone into your PC with that, and VOIP will take off and the telco's will become extinct
I've been saying this for 3 years now!

Re:Bull! (0)

ShallowThroat (667311) | more than 10 years ago | (#8553406)

but who will think of the poor telcos!? Just letting them die after all their fair buisness methods!?

Re:Bull! (1)

unclefungus (663751) | more than 10 years ago | (#8553695)

let me say I do see the sarcasm in your post, but seriously, any buisness that wants to survive has to learn to adapt. if the telcos don't adapt they will die. maybe, since they already have most the voip, internet backbones, and major connectoins they should provide a voip phone service to go with your new DSL line. my cable modem company is trying to get me to buy into it, but they cost to much. :)

No. (1, Insightful)

Anonymous Coward | more than 10 years ago | (#8553346)

Is VoIP secure enough to replace the PSTN as we know it?


No.

Thanks to the acceptance of less than end to end secure encryption similar to ssh or ssl, and thanks to Voip providers willingly/being forced to provide snooping access thanks to their man-in-the-middle position, this will end the requirements for a judge to oversee and ensure snooping is justified in a small number of cases, and open everything up to massive snooping, and massive insecurity.

There is no judicial oversight for cordless phones. Why? Because in the words of past court decisions, when using a cordless phone, it is not secure (whatever your beliefs) as an end-to-end switched telephone call. Others can eavesdrop, and so can the government.

You accept using VOIP without end-to-end ssh/ssl/whatever security? Then you can't demand privacy and judicial oversight over snooping requests.

And you open up all telephone calls everywhere to being snooped on by not only the government, but anyone with the computing power and knowledge to snoop packets/save packets/grep packets. As computing power goes up, it gets easier to set grep cron jobs for key words when you go to bed, and then wake up ready to really go to work in the morning.

I'm no computer expert. Just a Monday morning half back. So maybe the experts can answer why I can't plug a VOIP phone into my network switch, and call up Cowboy Neal on his VOIP phone on his network switch, and we can talk with an ssl or ssh connecton bypassing Vonage and Ma Bell altogether.

Why isn't there an effort on Sourceforge (is there?) to enable this? Why are we letting Ma Bell continue to control our conversations when we have broadband connections and the equivalent of supercomputers from just a few years ago sitting on our desktops?

Anyone?

Why do we even need VoIP though? (5, Insightful)

nial-in-a-box (588883) | more than 10 years ago | (#8553351)

  • It doesn't really do anything that is currently needed.
  • It is more complicated than it needs to be.
  • Cell phones accomplish the exact same thing for the same cost and at a sadly higher reliability level.
  • It's going to be regulated as hell sooner or later.
  • It's not a satisfactory long-term solution.

What annoys me the most is that cell phones still are not treated as "normal" phones by the key places where it matters, such as credit cards, etc. If I pay a monthly bill on a cell phone, and I need a positive credit rating to even get that service plan in the first place, why is that not good enough to establish credit? It annoys me that even though it seems like something that has been overlooked, it also looks like we're just giving extra business to land-line providers. I have no need for such a telephone line, but I will probably have to get one the next time I move as it still is a requirement for many things.

I need VoIP (2, Insightful)

gad_zuki! (70830) | more than 10 years ago | (#8553621)

>It doesn't really do anything that is currently needed.

I don't want to pay for a POTS line and expensive long-distance.

>It is more complicated than it needs to be.

That can be said of a lot of things. It happens to work, and well.

>Cell phones accomplish the exact same thing for the same cost and at a sadly higher reliability level.

My cell phone goes out all the time, my VoIP works all the time. My cell phone has limited minutes and when in use it pushes a few watts of energy at my head t'boot. It also sounds more like a POTS phone than the crap that a cell-phone delivers. You can speakly quietly, listen to real human sounds like quiet sighs and other things cell-phones fail at delivering. No finger in the other ear using VoIP.

>It's going to be regulated as hell sooner or later.

Defeatist much? Even regulated that doesn't mean it will be unafforable or even more expensive. The last round of complaints have more to do with calling your local 911 service and many VoIP proviers already have that function working.

>It's not a satisfactory long-term solution.

Says you. Only the five richest kings of Europe will be able to afford computers too.

Re:Why do we even need VoIP though? (2, Informative)

bcrowell (177657) | more than 10 years ago | (#8553628)

It doesn't really do anything that is currently needed.
For us, it was simply cheaper than paying for telco service in our house.

It is more complicated than it needs to be.
Huh? They shipped us a black box that plugs into our cable modem. You plug a phone into the black box. There was no configuration to do. You don't need a computer.

Cell phones accomplish the exact same thing for the same cost and at a sadly higher reliability level.
We now have a cell phone and a Vonage line, and no telco service. The Vonage service is cheaper and more reliable than the cell service, and the quality is better. YMMV.

It's going to be regulated as hell sooner or later.
Or maybe not.

It's not a satisfactory long-term solution.
Because...?

It's not security, it's quality (4, Interesting)

Linegod (9952) | more than 10 years ago | (#8553396)

Spend some time using VOIP and you'll want to poke yourself in the eye. And that's on an internal network with QoS. You can put up with a delay on your mail, web, ftp, etc, or even jitter on video, but when audio starts to fart and burp, you'll go mad (MAD I SAY).

And with the cost of long distance nowadays, why would you want to drive the cost of your Internet access up by overloading the network with traffic that is doing perfectly well on it's current medium? I guess it comes back to the question of 'What are you trying to fix anyway?'

Re:It's not security, it's quality (1)

Gortbusters.org (637314) | more than 10 years ago | (#8553733)

I disagree. I have an IP phone at work, and it's great, I see little or no difference from my old circuit switched phone.

What brand of phone do you use? I have heard that earlier Cisco phones weren't so great.

security and voip deployment (0, Redundant)

fat32 (620360) | more than 10 years ago | (#8553407)

IP Telephony allows the terms "Phreaker" and "Hacker" to come closer then ever before because of the convergence between telephony and IP. The security threat associated with IP Telephony is far greater than with regular telephone networks. It is combined from a number of different factors that needs to be evaluated before any deployment of IP Telephony.

PSTN Security ? (2, Informative)

noselasd (594905) | more than 10 years ago | (#8553409)

I'm somewhat wondering at which level they need security..
If you want VoIP over the Internet, you defintly need to care about security.

Then again if an operator wants to do this over the internet, there are alot other things than security to think of
as well,(e.g how goddamn unreliable the internet can be.. packet loss, long unpredictable delays , etc.)

Now, many are already doing VoIP, but at a complete diffrent layer.
They replace their internal core switching network with IP networks.
Networks ofcourse nowhere near the internet, only as their internal bearer of signalling and in some cases the voice
as well.
Readers can go through the RFCs for the Sigtran stack for more info. Some are considering SIP/SIP-T as well.
The issue they face are not security, but maturity. Protocols and implementations are not that ready.
In this scenario noone talks about security, its the same as in the "old" telco network, phyisically security.

Which btw. isn't that secure. I can very well dig up an 2mbit SS7 cable, hook e.g. our SS7
simulator(www.utelsystems.com) onto it, and call for free, or cause lots of trouble for the switches..

A pet peeve: unencrypted cordless phones (3, Interesting)

WoTG (610710) | more than 10 years ago | (#8553435)

It bugs me that the vast majority of cordless phones for sale and purchased are unencrypted mini-radios.

Digital Spread Spectrum phones provide a reasonable amount of security, certainly orders of magnitude better than 'regular' cordless phones. DSS phones have been around for years, but for the sake of a few bucks and a lack of product knowledge, way too many people buy the $49.99 special at Walmart.

One of these day's I should buy or modify something to pickup analog signals so that I can scare/shock my friends/relatives/customers into buying better phones...

But...why ? (2, Interesting)

veg (76076) | more than 10 years ago | (#8553473)

Why replace PSTN, that uses proven, stable technology, with another technology designed for something completely different.
OK, within an organisaion it makes sense if you have CAT 5 going to everyone's office already, and you have assured bandwidth in your network infrastructure, it can, and does, work. But over the Internet ? Forget it.

ATM is such a good networking medium for the phone. It was designed to allow QoS and pacing, and is therefore perfect at multiplexing audio and video. That's why the packets all hold 48 bytes!

IP was NOT! When you've got VoIP, the web, Real, P2P, pr0n etc etc etc all competing for the same bandwidth, you really start to see why telephones have no business on the internet.

The only reason there is a national/international VoIP industry is cost. If VoIP really does become a serious threat to telephone companies, all they need to do is drop the cost (for a while) and the VoIP businesses drown.

Security ? Whoever wrote that article clearly doesn't understand what telephone networks are.

Not lack of security (5, Insightful)

mobileone (615808) | more than 10 years ago | (#8553474)

Security is just one of the issues why VoIP has not caught on as an end user technology:

Pricing People think that VoIP is cheap compared to normal telephony. Average people spend around USD 200 per year on land line telephony. While VoIP might seam "free" you still have to pay around USD 300 for an ADSL connection.

Device type While it is technically feasible to install a VoIP client on a PC, it is not exactly the ideal device for a telephone. Also - remember that people usually have several phones in the house. To overcome this you would need VoIP "telephones" which look like a normal telephone. These are reletive expensive compared to normal phones, and requires a dedicated power supply.

Incoming calls In order to receive incoming calls you need to have you VoIP device turned on all the time and connected to the Internet.

Availability A normal landline telephone is usually available 99.98 % of the time. If your ADSL reaches 99.7% you should consider yourself lucky. Furthermore normal phones work during power outages. In some countries this is a regulatory requirement for emergency services.

Billing It would be nice if it was possible to make "free" VoIP calls. In most of the world however, it is the calling party who pays for the call. This means that a VoIP call terminated at a Spanish GSM phone will be charged backwards: The spanish GSM operator charges the VoIP "operator" for "terminating" the call, and the VoIP operator subsequently charges the VoIP "customer". The world has more than 1 billion GSM subscribers. In order to be able to call these you need the billing infrastructure in place even for VoIP. This requirement makes VoIP just as expensive to produce as traditional telephony.

Only a land line solution The world is moving voice calls to mobile phones. So far it has not been shown that VoIP is technically or economically feasible on mobile phones?

Quality It is pretty hard to beat the delay characteristics of a normal landline phone! VoIP has severe delay problems on thin access lines such as ADSL. Usually OK for 2Mb/s and up.

After all VoIP is only a matter of changing layer 3 and 4 in the protocol stack. Why would end customers care?

The places where VoIP is used today it is mostly invisible to the end-user: It is used as a cost cutting technology by a large number of long distance carriers. The service however is sold as normal "high quality" telephony. It is also used in a corporate setting for branch-to-branch calls as well as for PABX replacements. VoIP also makes a lot of sense sense as computer-telephony-integration in call centers.

The next majer breakthrough for VoIP will be VoADSL. VoIP all the way to the customer premises. The interface to the customer however will be a normal POTS jack, full customer service and the associated billing!

Re:Not lack of security (1)

PoitNarf (160194) | more than 10 years ago | (#8553662)

People think that VoIP is cheap compared to normal telephony. Average people spend around USD 200 per year on land line telephony. While VoIP might seam "free" you still have to pay around USD 300 for an ADSL connection.

VoIP services such as Vonage are targeted towards people who already have a broadband connection, so that really isn't a factor for many people.

While it is technically feasible to install a VoIP client on a PC, it is not exactly the ideal device for a telephone. Also - remember that people usually have several phones in the house. To overcome this you would need VoIP "telephones" which look like a normal telephone. These are reletive expensive compared to normal phones, and requires a dedicated power supply.

Devices such as the Cisco ATA-186 and the Motorola VT1000 enable customers to hook their normal phones up to the VoIP device, or hook their home phone wiring directly into the device.

In order to receive incoming calls you need to have you VoIP device turned on all the time and connected to the Internet.

Kind of like what a cable or dsl modem does.

A normal landline telephone is usually available 99.98 % of the time. If your ADSL reaches 99.7% you should consider yourself lucky. Furthermore normal phones work during power outages. In some countries this is a regulatory requirement for emergency services.

Very valid point, however not always the case. During the August 2003 blackout even my normal phone was out. Only my cell phone worked. You can however buy a battery backup for your cable/dsl modem and VoIP device to keep them up and running. As long as your provider has emergency power at their location, you should be covered in that situation.

It would be nice if it was possible to make "free" VoIP calls. In most of the world however, it is the calling party who pays for the call. This means that a VoIP call terminated at a Spanish GSM phone will be charged backwards: The spanish GSM operator charges the VoIP "operator" for "terminating" the call, and the VoIP operator subsequently charges the VoIP "customer". The world has more than 1 billion GSM subscribers. In order to be able to call these you need the billing infrastructure in place even for VoIP. This requirement makes VoIP just as expensive to produce as traditional telephony.

Check out the pricing plans and international rates on the Vonage website. I think you'll see that the costs are a lot lower.

The world is moving voice calls to mobile phones. So far it has not been shown that VoIP is technically or economically feasible on mobile phones?

I'm sure will see wireless internet access much more widespread in the years to come. That's the biggest hurdle for making wireless VoIP phones.

Re:Not lack of security (1)

bcrowell (177657) | more than 10 years ago | (#8553681)

Pricing People think that VoIP is cheap compared to normal telephony. Average people spend around USD 200 per year on land line telephony. While VoIP might seam "free" you still have to pay around USD 300 for an ADSL connection. My family has already paid for broadband access so that we can have fast internet access. Given that decision, VOIP is indeed cheaper than telco service for us.

Device type While it is technically feasible to install a VoIP client on a PC, it is not exactly the ideal device for a telephone. Also - remember that people usually have several phones in the house. To overcome this you would need VoIP "telephones" which look like a normal telephone. These are reletive expensive compared to normal phones, and requires a dedicated power supply.
We have a wireless base station plugged into our Vonage box. In other rooms around the house, we have two other wireless handsets. The total cost was about $120, and it would be an equally practical setup if we had telco service instead of VOIP. Our house doesn't have phone outlets in all the rooms where we'd like them, and let me assure you that pulling cables through the walls and installing connectors would cost a lot more than $120.

Incoming calls In order to receive incoming calls you need to have you VoIP device turned on all the time and connected to the Internet.
To receive phone calls you have to have your phone plugged into the wall. How is this any different?

Quality It is pretty hard to beat the delay characteristics of a normal landline phone!
For us, the quality has been indistinguishable from what we had with telco service.

The DIFFERENCE is: Script Kiddies (2, Informative)

Saltation (756369) | more than 10 years ago | (#8553533)

PSTN communications are not easily physically available to most non-electronically-savvy people.

VoIP is (relatively) easily available to any computer-- it uses standard protocols and is intended to travel via networks which are physically publically available during at least some portions of a phone call's life. The access issues are those of any network crack. Exploits can be expected to be passed around thru the saddo script-kiddy-krackers as soon as discovered.

And as regards encryption -- no encryption can withstand brute force. If you are tracking someone's calls, you can simply copy them all to your own disks, then bruteforce open them in your own time. It might take a few days per call, but hey, that's good enough for most purposes.

--
Sal

Writings: saltation.blogspot.com [blogspot.com]
Wravings: go-blog-go.blogspot.com [blogspot.com]

less security than what? causing what problem? (4, Insightful)

bcrowell (177657) | more than 10 years ago | (#8553557)

I switched from telco to Vonage a couple of months ago, and this article has exactly zero correlation with the pros and cons of the transition as I experienced it.

First of all, if VOIP is supposed to be less secure, what is it less secure than? Less secure than telco service? That doesn't really make sense, because essentially all the people who I call and who call me have telco service. There's no such thing as a 'VOIP call' or a 'telco call.' If you stay with the telco because you think it's more secure, and then you call me, guess what -- your call went through my VOIP provider, so you're not any more secure. Likewise if I got a VOIP box that did encryption on the voice data, it still wouldn't guarantee my security if the person I was calling was using an unencrypted wireless connection on their end. And BTW, even if you're a telco customer calling another telco customer, many of your calls probably go through the internet on part of their journey.

It's also not clear to me what real problems they're claiming the lack of security would cause. The beginning of the article seems to imply that the threat is unreliability due to attacks by hackers. Well, that just isn't the real reliability issue faced by actual VOIP users. The only real reliability issue I've encountered is that when my cable modem service isn't working, my phone stops working. (But so far it's always cured the problem if I just power cycle the cable modem.) It's also worth noting that one of the main reasons we switched from telco to VOIP was the poor reliability of the telco service. We went through a period of about two weeks recently where there were telco guys working continuously all up and down the street, all our neighbors had no telco service (or patchy telco service), and we were the only ones on the block who could actually make a phone call. According to the telco worker I talked to (the big green box is right in front of my house), the issue is just that the equipment is getting really old.

They also seem to imply that there's some sort of a threat of identity theft, or that someone may steal your service. Well frankly, I'm taking a bigger risk every time I let a waiter in a restaurant see my credit card number.

Security (2, Interesting)

secolactico (519805) | more than 10 years ago | (#8553587)

Screw security. It does not need to be implemented on the network. It can be implemented on the endpoints, and there are already devices to encrypt plain old telephone calls.

Reliability is the key. PSTN are not more secure except for the fact that is controlled by a few and has limited application besides voice (your fax machine is not going to contract a virus that will in turn disrupt communications for everyone).

VoIP is feasible, but not over plain old internet, and it doesn't have to be. There are several telcos that use IP on their voice backbone, on a network isolated from the internet.

Imagine the slashdot effect taking down not only your company's webserver, but your phone lines as well... ;-)

911 (3, Funny)

RoadkillBunny (662203) | more than 10 years ago | (#8553591)

I see 911 as the biggest problem. If you are sharing the phone line with a normal internet, and you need to call 911 while someone decides to download the RedHat ISO's, you are in trouble.

we already use voip (0, Flamebait)

unclefungus (663751) | more than 10 years ago | (#8553640)

most of the thing the telcos do is VoIP already! the pstn is just for that last mile. once your connection hits the nearest box, it becomes Voip and is shot over the internet to the next nearest box to the other conversationist and back into a soiund singnal. this just gets rid of the middle man. there is no reason to have to have two different connections for what should be the ame thing! The telco are holding back the emergence of voip just like the oil co's were doing for the electric car. Does any one else realize they don't have monopoly on communication any more?

Another article on this subject... (3, Informative)

ManxStef (469602) | more than 10 years ago | (#8553676)

...over at SecurityFocus - Voice over IP Security [securityfocus.com] by Matthew Tanase

Converged Security (5, Informative)

Effugas (2378) | more than 10 years ago | (#8553756)

Voice over IP actually creates some particularly hairy security problems that traditional approaches really, really don't manage well. Some disclosure: I work for Avaya [avaya.com] , one of the big vendors of large scale VoIP systems, though much more for the enterprise market than for anything to do with the public space (Vonage, Packet8, etc).

Lets start by looking at the wire protocols. We have two separate domains within which VoIP operates: Signaling, which determines where a call should route, and traffic, which is the actual stream of speech that needs to arrive at its destination in under a tenth of a second. These are very different protocols. Signaling was originally implemented using H.323, which can be basically thought of as a port of the existing telephony protocols (SS7) to IP.

H.323 is...well...not entertaining to work with. It's a very messy protocol. To a first level of approximation, H.323 is being reimplemented with SIP, which applies the semantics of HTTP to VoIP signaling. SIP is still complicated, but in a more manageable way.

Whether one is using H.323 or SIP to route calls, the actual traffic is moved over a relatively simple protocol entitled RTP. RTP basically involves chunking compressed audio into small packets, attaching a timestamp and a codec identifier, and throwing the packet at the appropriate host. UDP Port selection is managed dynamically by whatever signaling protocol is being used, meaning a firewall either needs to open the entire range of ports that VoIP might use (not small) or it needs to directly parse the signaling traffic to determine what ports to open.

Remember how both SIP and H.323 are both very complex protocols? Add in that complex protocols can hide many security vulnerabilities, and put that complexity in the firewall: Mistakes are made. (That's not theoretical -- a recent mass audit of H.323 exposed holes not merely in VoIP endpoints, but VoIP-aware firewalls. Microsoft, who actually has a pretty impressive firewall solution, was hit pretty bad.)

It's now that we can start discussing the differences between Enterprise VoIP and the kind of PSTN-Bridge VoIP that Vonage sells. Phones in enterprises receive connections from every other potential phone -- in other words, there's generally no central proxy that copies all the traffic towards where it needs to be. In the enterprise world, there's relatively few firewalls inside the corporate network, those that are deployed can be made VoIP aware, and the "central gatekeepers" really only manage directory services (go to this IP for this extension), conference-call mixing, and in the Avaya case, encryption keys.

You don't have that situation in the public realm. Firewalls -- which are everywhere, as deployed through NAT -- simply won't accept incoming connections from hosts that a backend client wasn't communicating with in the first place. But that's almost OK, because the only host a Vonage box needs to communicate with is Vonage itself. So if you actually examine the Motorola device that Vonage is presently deploying, you'll see that it itself accepts almost no incoming connectivity of any form that doesn't appear to come from Vonage itself (just DHCP and ARP, basically). The public providers basically proxy all traffic, because they have to: Nodes on the public PSTN network (normal phone lines) can't be told to just send IP packets at the Motorola device. So the proxying is basically mandatory.

It's ironic that, at least at the moment, PSTN integration carries with it an architecture that's infinitely more wiretap-friendly than what VoIP could eventually become. Tapping a complex mesh where any node often communicates with every other node is difficult-to-impossible to do, at least with any form of reliability. Create a finite number of junction points that must be passed through in order for connectivity to be established, however, and tapping becomes feasible.

AOL Instant Messenger is the most interesting variant of this, as messages from China to Dubai proxy through the US (or at least through a US-controlled entity). But while instant messages are both the lowest bandwidth and least latency sensitive communication system in widespread use, voice actually takes a bit of bandwidth to it, and is extremely latency sensitive. So the proxying inherent in the Vonage solution is actually a significant performance hit.

Performance is the actual problem.

Don't get me wrong, security really does matter for Vonage. I recently wrote some code that's now sitting on my web server at home, about six hundred miles north of where I'm sitting now. Whenever I feel like it, I can SSH into that web server -- Triple-DES encrypted! -- pick up the traffic coming from my voice over IP provider, transfer it down to my laptop, and play it on my speakers in realtime. This is somewhat annoying to my roommates, but it makes a great demo.

Interestingly though, they complain much more about the fact that the link quality leaves something to be desired than the fact that occasionally I use our home phone to demonstrate security risks. Performance matters, and while enterprises have been able to engineer quality of service as a front-line item into their networks, the Internet as a whole just doesn't respect it. Even when home users have a QoS-aware firewall, the fact that the router merely one hop up doesn't respect QoS means that only outgoing packets get prioritized -- the packets coming in containing latency sensitive voice have to compete against web requests and large downloads.

It doesn't always sound very good. Trust me -- I can tell, and I don't even need to be home to notice. But I think this is a problem that will solve itself, in the same way that Steve Jobs pointed out that executives who couldn't type would disappear: Given time and given profitability, inefficiencies disappear. Given time and given profitability, bandwidth to the home is increasing rapidly enough that there really is becoming enough spare capacity to mitigate the performance issues, merely through brute force.

But when the performance issues dissipate, people really will start asking questions about encryption, and the answers aren't going to be easy. VoIP doesn't work very well with the standard encryption protocols. SSL and SSH both presume a reliable TCP session, which assumes that if a packet is dropped, it's OK to stop everything to get it retransmitted. In voice, you don't care about old dropped packets, you care about the latest content. IPSec, the most popular system for encrypting an unreliable transport (IP), is really too complex to make it onto all the devices that need to be working with VoIP (cell phones, since we need a good solution for providing access inside large buildings other than per-vendor base stations). Also, due to the small size of VoIP packets, IPSec applies something like a 50% overhead on a per packet basis, increasing latency and decreasing performance. SRTP was specifically designed for Voice over IP, but not only doesn't it handle the signaling channels discussed earlier, but it also doesn't handle key exchange. Since an encryption algorithm is mostly useless without a way for both sides to agree on a shared key, SRTP hasn't gone too far. I happen to have high hopes for Datagram TLS, which is being designed by Eric Rescorla of SSL fame and would provide a very nice unified interface in a way that should still fit on small devices. But it's still under development. That leaves the various proprietary architectures -- Avaya's had one for the last couple of years, Cisco should have one out any day now (they were the source of SRTP), etc. We'll see what happens with them.

Ultimately, VoIP as a PSTN bridge for the home is still in its infancy. For instance, I believe Vonage has no more than 25,000 subscribers. The real push, I think, is going to happen when cell phones start supporting VoIP -- because the corporate IT types are going to want to see some evidence its safe to allow their office WiFi networks to be used for voice, while the corporate users are going to see a final fix for dead zones inside the office. Home use will come along for the ride.

That's my take on it, having been hacking on the wire and being around the business types who are pushing it out. Others may have different experiences.

Yours Truly,

Dan Kaminsky
Avaya Enterprise Security Practice

Two things holding it back. (2, Insightful)

Anonymous Coward | more than 10 years ago | (#8553795)

1) Cell Phones.
Why do I need another phone? I get excellent coverage and my calling plan is flexible.

2) Crappy ISP's
I would not be willing to deal with the latency/bandwidth issues. Until you have QoS from point A to point B, VOIP will be an annoyance.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...