Alan B. Johnston

Author of Counting from Zero and Returning to Zero technothriller novels, WebRTC and SIP subject matter expert, dinghy sailor, vintage dirtbike rider, traveler.


Stop SOPA!

The news coming out of Washington these days is never good, but this current techo-political issue is absolutely huge. If we don’t stop SOPA, the proposed Stop Online Piracy Act, the Internet as a place of free speech and economic innovation will be no more. While this may sound like hyperbole, I assure you it is not. Read this open letter written by many of the world’s top Internet engineers (and my colleagues at the IETF) published on the Electronic Frontier Foundation Website.

This act, if it passes, will modify the core technology of the Internet, the Domain Name System (DNS). The ability for the Internet to grow, perform well, and be free of political interference and meddling are at stake.

This bill is being pushed by Hollywood and other intellectual property holders who claim that online piracy costs billions in revenue and jobs for them. History has shown that the most successful way to stop online privacy is to make content available online at reasonable prices and terms. Remember music piracy? No longer a problem due to the current availability of online music. In fact this act would likely cost billions in lost jobs and profits for Internet startups that would never happen.

I am also a stakeholder in this debate. I hold several patents and copyrights on several books. I have used existing tools to have copyright violating content removed from websites – the current mechanisms do work and do not need replacing by draconian and sweeping approaches that have been shown to fail in (repressive) countries that have implemented them.

And finally, these changes will eliminate the engine of innovation that is the Internet. Now some will not miss this – their entrenched business models will continue. However, during this time of global economic stagnation, to kill one thing that could get us out this is ludicrous.

Stop SOPA. It is as simple as that. Contact your representative today.

, ,


Websockets and SIP

Yesterday, RFC 6455 The Websocket Protocol was published by the IETF. This is the latest standard in the efforts to enable more applications to run in the web browser. This protocol, when supported in a browser and webserver allows the two to open additional TCP connections between them, besides the one they are using for the web session to send HTML, JavaScript, etc to the browser.

One area of application is WebRTC, the work to enable real-time communications services in web pages. One approach that has been discussed in both the IETF and W3C is to use Websockets to open a new connection between the browser and web server, and run a signaling, presence, or instant messaging protocol over it. For example, it had been proposed to run SIP, Session Initiation Protocol, this way.

A few months ago I blogged about WebRTC and SIP, and argued that SIP should not be standardized by WebRTC, as had been proposed back then. I still believe this is correct, and recent work in the IETF has centered around instead standardizing some kind of offer/answer media negotiating protocol, but leave the choice of signaling protocol open.

Recently a new Internet Draft was submitted on a Websocket transport for Session Initiation Protocol. I think this is a potentially useful approach and could be a good way to utilize SIP in conjunction with WebRTC. The draft is still in it’s early days, and has not yet been adopted by the SIPCORE Working Group yet, but I think it is a great start. SIP developers who are interested in the WebRTC effort should read this draft and support this work.

In the meantime, it is great to see WebSocket finally published as an RFC, something I hope to see happen to a few of my Internet Drafts in the new year!


If you are interested in WebRTC, you might like my new book “WebRTC: PIs and RTCWEB Protocols of the HTML5 Real-Time Web”

WebRTC: APIs and RTCWEB Protocols of the HTML5 Real-Time Web Book Cover


, , , , , , ,


How I Learned to Stop Worrying and Love Amazon

Today I ditched a long time partner, Smashwords.  I feel really, really bad.  I remember clearly the day I found the site and realized I could use this one excellent site for distributing my eBook on multiple platforms: iBooks, Nook, Diesel, Kobo, Sony, etc.  I loved the way I could generate free download coupons for my eBook.  I raved about Smashwords on this blog.  Between Smashwords and Amazon KDP  (Kindle Direct Publishing), I had my eBook publishing bases covered.

As of today, I am using Amazon KDP exclusively to distribute my eBook, Counting from Zero.

Why?  Because of the terms of the new KDP Select program Amazon launched today.  In exchange for forsaking Smashwords (and all others), my eBook will be a part of Amazon’s Kindle Owners’ Lending Library, a brand new part of their Prime service.  Users of this service get to “borrow” one eBook per month for free.  Authors and publishers get no royalty, but instead will split a slush fund from Amazon based on their books share of lending.  How much will this be?  No one knows – it depends on the degree to which users adopt this new model.  There is also the opportunity to offer my eBook for free promotions, as well.

Why did I decide to participate?  Well, the financial calculation was trivial.  As the pie chart shows, 88% of my sales have been eBooks on KDP, with 7% paperbacks (on Amazon and B&N), and just 5% eBooks through Smashwords.  To give up those 5% sales to add a new distribution channel is an easy calculation.  Also, I just love being able to participate in the disruption of the publishing industry, and it will be a very interesting ride the next few months to see if this takes off.

Despite the title of this blog (apologies to Dr. Strangelove), I do still worry about Amazon.  Their power in the publishing industry is growing exponentially.  If the Kindle Fire takes off and lending as well, it will give Amazon even more leverage.  I really, really don’t like the exclusive requirement for Kindle Select.  It feels awful to say goodbye to Smashwords, a site that has been extremely useful to me this year.

So, here it is – it will be interesting to see how it goes!

, , , , , , , ,


Smartphone Hacking

Alan B. Johnston interview on KMOV-TV on Smartphone Hacking

Last night I was interviewed on KMOV-TV Channel 4 in St. Louis about smartphone hacking.  I was asked by Jasmine Huda to comment about an article in USA Today “Hackers prey on smartphone use at work during holidays” and about the general issue of smartphone hacking.

The USA Today article is primarily about users whose smartphone connects to both their corporate accounts and their personal accounts.  The angle was that the smartphone becomes a new attack vector to penetrate corporate networks via the personal accounts on these devices.  While this attack seems plausible in theory and will no doubt happen, it is hardly widespread today.  I commented that smartphone hacking is definitely on the rise, with Android devices and their open ecosystem most common, while at the other end of the spectrum is the iPhone with its closed ecosystem and minimal hacking reported.  However, there is still the potential for iPhone hacking as demonstrated recently by Charlie Miller who got his application accepted in the App Store despite having malware in it.

Jasmine Huda, KMOV-TV, story on Smartphone Hacking

Besides paying attention to what apps you run and what links you follow, you also need to pay attention to the physical security of your smartphone.  With so much personal information stored in it, having a smartphone password protected is a must, as is the ability to remotely wipe the phone if lost. In my technothriller novel Counting from Zero, the main character Mick O’Malley temporarily loses possession of his smartphone.  Being the overly paranoid type, he immediately discards the phone hardware, replaces it, then reinstalls all his information on it.

Today, a bigger concern than smartphone hacking is smartphone privacy, and the personal information that apps are routinely sharing without really informing the user, but this is a topic for another day.

, , , , , ,

Leave a comment

Remembrance Day and “Operation eBook Drop”

Today is Remembrance Day, also known as Veterans Day here in the United States, which happens to be a binary date (11/11/11). This day commemorates the Armistice that ended World War 1 in 1918. Today I remember two of my relatives who served their country during the world wars of last century. One grandfather fought in World War 1 in France, while my other grandfather fought in World War 2 in Egypt and New Guinea. Both of them served in the Australian army. Fortunately, they both came home safely. Today we remember those who did not.

I have had the privilege of doing something for those who are serving today through the “Operation eBook Drop” program. This program, founded by author Edward C. Patterson and Smashwords founder Mark Coker puts eBook authors in touch with soldiers deployed away from home to provide free eBooks. If you are an author or publisher, I would recommend participating in this worthy cause. I have given away quite a few copies of my techno thriller novel Counting from Zero through this program.

Remember today the sacrifices of those in the past and those serving today.

, , ,

Leave a comment

Stingray: Law Enforcement Impersonation of Mobile Base Stations

I’ve been reading in amazement lately about the use of mobile phone tracking by US law enforcement. I’m not amazed that it is happening, but I am amazed by the way that it is happening. Let me explain why.

Mobile phones, as they are currently engineered are very susceptible to tracking. Many smartphones have GPS location capabilities built in that can log location information. Apps cam be used to extract this from a phone, either with the consent of the user (finding lost phone services, parental tracking, business applications, etc) or without (malware, abusive location-based services, etc). Older versions of iPhone software even logged this information on a unprotected file that could be accessed by anyone holding the phone.

The mobile service provider also knows the location of mobile phones whenever the phone is turned on – this is just part of providing the service. The phone is always in touch with the nearest base station – the antennas you see on towers and tops of buildings are the visible parts of base stations. The service provider keeps a database of where a phone is located so when an incoming call comes in the phone can be alerted.

When I have thought about law enforcement tracking mobile phones as part of an investigation, for example, I’ve imagined them going to the mobile service provider with an appropriate court order, and getting that information. Instead, it seems a different approach is being used – one that involves what we in the security industry would call an impersonation attack on the mobile phone network.

In my cybercrime mystery novel Counting from Zero, I talk about mobile phone base station impersonation attacks, and also talk about other aspects of mobile phone security.  I’ve always imagined these attacks being launched by criminals or intelligence agencies, but never as a routine part of law enforcement, where the software used is known as “stingray”.

Basically, as described in a number of articles, including this one in the WSJ, the investigators use a piece of software that pretends to be a mobile service provider base station – hence the impersonation. Unfortunately with today’s mobile phones, there is no authentication or validation of this – your mobile phone just assumes that and transmission it receives on the mobile phone frequencies (which by the way requires a spectrum license from the FCC to do so) is a valid base station and will communicate with it. A phone will pick the strongest one when there is a choice, so the attacker doesn’t need to jam or shut down the legitimate base station, just overpower it. When the mobile phone connects, the stingray software learns the serial number of the mobile phone (the IMSI for those technically inclined) which can be mapped to a telephone number. By noting the signal strength and by taking a few readings in a number of locations , the location of the mobile phone can be determined by triangulation.

Now since this fraudulent base station doesn’t have access to subscriber data or the data network, they can’t actually get in the middle of actual calls and listen in – this would be a full Man-in-the-Middle attack or MitM as it is known in the industry.  However, the software is impersonating a mobile operator’s base station and transmitting on frequencies licensed to that mobile operator.  Also, I don’t think this approach is so selective that it only impacts the target of the investigation.  When a stingray is setup, it would trap all mobile phones in the vicinity into communicating with it. More than likely it can disconnect the mobile users who are not the subject of the attack, but I’m not sure.

Another very worrying thing about this is that it appears that law enforcement is being very tight lipped about discussing the capabilities of their stingray devices: what it can do to the target and what it can do to other mobile phone users in the area.  Even more strangely, it has been reported that evidence collected using these devices is also systematically being deleted, which seems very odd behavior for investigators.

There is most likely a lot more to tell about this story.  As I said, I’m a bit amazed at the use of the stingray by law enforcement.  Does this really seem like legitimate behavior?  Fortunately, it seems that the issue is likely to get a full hearing in the courts soon, and we may find out the whole story.


1 Comment

Explaining Security

I spent all last week in Austin, Texas at the Internet Telephony Expo, ITEXPO conference.  In addition to giving the SIP and RTCWEB Tutorial and having a board meeting of the SIP Forum, I moderated a security panel at the 4th Generation Wireless Evolution 4GWE conference.  It was a great panel, with Patricia Steadman, CEO of Telesecret,a company founded by Phil Zimmermann to commercialize the ZRTP media security protocol, and a good friend and former colleague from Avaya, Andy Zmolek from LG Electronics.

As I enjoyed the cool and damp weather back in St. Louis (the opposite end of the weather spectrum from last week!), I was elated to discover that my novel “Counting from Zero” was ranked #12 on Amazon’s Computer Network Security sales list! (Of course, this ranking changes minute-by-minute, so it might very well be ranked a bit lower when you read this.)  I mark this as yet another milestone with this book, my first attempt at fiction.  To have it doing so well in a ranking filled with security text books is very exciting!

I was also thrilled to see two other books I greatly admire ranked just above me at #7 and #9:  The Art of Deception: Controlling the Human Element of Security and The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers by Kevin Mitnick and William Simon:  I use both these books as references in my book.  I was thinking of Kevin all last week during my travels as I finished reading his newly released memoir Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker.  It was an amazing read, and I highly recommend it.  Maybe I’ll post a full review here one day soon.

My original goal with “Counting from Zero” was to teach the fundamentals of computer and Internet security, but to do it in a non-traditional way.  I had written one other book on security, “Understanding Voice over IP Security”.  Its sales have not been great, compared to some of my other SIP and VoIP books.  One reason is perhaps that security books tend to be dry, and a little theoretical, not well-connected with real life.  In “Counting from Zero” I tried to invent a plot that would not only teach security, but help motivate it.  I set out to create a character, Mick O’Malley, who would initially seem over-the-top in his security, but have the subsequent action and events make him seem more normal, and the rest of us who barely give security a thought the strange ones.

I have greatly enjoyed the reviews of the book, and those complementing my characters, writing, plot, etc.  But I enjoy hearing the most that a reader learned something from the book.

If you have an interest in Internet or computer network security, my book will help explain some basic concepts and help motivate the topic.  If you have ready my book (thank you!) and learned something useful from it (fantastic!), I’d love to hear from you…

, , , , , , , , ,

Leave a comment

SIP and the Browser: RTCWEB and HTML5

There’s a lot of discussion these days about an effort known as RTCWEB – Real-Time Communications in Web browsers.  It is part of the HTML5 effort to build base voice and video communication capabilities directly into web browsers.  What does this mean?  HTML allows a web site or developer to easily display an image or stream a video, simply by including a standard HTML tag in their web code.  The RTCWEB extensions will similarly allow Skype-like voice and video communication, simply by adding a few HTML5 tags and some Javascript or Java code.  There are websites offering this today, but you first have to download a browser plugin before you can use it.  The developer has to write plugins for each platform and browser they want to support.  As a result, few offer this today – GoogleTalk and Google+ Hangouts are an exception to this.  For this effort to be successful, there must be standards, and two Internet standards bodies are working together closely:  the IETF (Internet Engineering Task Force) and the W3C (World Wide Web Consortium).  I have been active in the IETF’s RTCWEB Working Group, and colleagues of mine have also been involved in the W3C WEBRTC Working Group.

So how does this fit with SIP, which I’ve spent much of the last 10+ years working on?  SIP or Session Initiation Protocol is the IETF protocol for establishing voice and video sessions over the Internet.  SIP is used all over the Internet today, and in private networks.  It is used by service providers for VoIP (Voice over IP) networks, and it is used by enterprises for their internal PBX (Private Branch Exchange) networks.  It is also in a number of applications and services including Skype In and Out and even Apple’s Facetime (kind of).

Does this mean SIP in the browser?  This is an open question today being debated.  Although I have written drafts on the topic, I am no longer so sure this the right approach.  The alternative approach, that says that we don’t need to standardize the protocol between the browser and the web server – just use some downloaded Javascript or Java.  But this doesn’t mean SIP will go away – rather, SIP will continue to be used to connect networks and elements, and this will include new RTCWEB websites that communicate with each other and service providers.

This topic will continue to be discussed in the standards bodies, and also in next month’s ITEXP Internet Telephony Expo.  I’m excited to be giving an all-day SIP Tutorial with Henry Sinnreich in which we will introduce and teach SIP and also the principles behind the RTCWEB effort and how SIP and RTCWEB relate.  You can find out more about the tutorial and register using this link.

One of the other hot topics of RTCWEB is security, and I have written and spoken out about the need for privacy – protection against eavesdropping on voice and video communication.  A media security protocol such as ZRTP would be an excellent choice, but there are other options.  Unfortunately, there is a contingent that wants to permit unencrypted voice and video media from the browser.  But that is a topic for another day…

Hope to see some of you in Austin, Texas at the SIP Tutorial on September 15. 2011!


Anonymous and Operation Facebook

The media has been buzzing the past day or so about “Operation Facebook” which was announced on YouTube by Anonymous.   Anonymous is the hacker collective made famous for their attacks in support of Wikileaks earlier this year.  Their type of politically motivated hacking is quite different from the profit motivated cyber crime hacking I write about in my novel “Counting from Zero”.

While this has been big news, other Anonymous sources have disavowed the attack.  Whether this was planned then abandoned by Anonymous, or in fact just the work of Anonymous wannabes isn’t at all clear.  Whether there is a actual attack planned or they are looking for zero day exploits is also debatable.

Regardless, everyone should be careful what information they post on social media sites such as Facebook.  Your privacy depends on a lot of factors, including your own privacy settings, the privacy settings of your friends, the security of your computer and your friends computers, and ultimately the security of the entire Facebook site.  You should not post anything to Facebook that you wouldn’t embarrass you if it showed up on Wikileaks next week.

I was interviewed on KMOV-TV News last night about this issue.  You can watch the short segment here.

With regards to Facebook privacy, there is another less well known issue – Facebook tracking of your web browsing using widgets, but this is a topic for another day…

, , , ,

Leave a comment

Big Bad Botnet?

I’ve been reading the past week or so about the TDL-4 botnet.  It has been called “huge” and indestructible” and “tough”.

Botnets, organized network of compromised computers, known as “zombies” have been much in the news lately.   Some, such as Coreflood, have been successfully taken down.  This botnet, however, has some interesting tricks up its sleeve.  For one thing, it uses a hard to disable encrypted peer-to-peer (P2P) command and control structure.  This makes conventional approaches such as blocking IP addresses and domain names not possible.   And, it fights back against other malware installed on the computer.  For example, it is able to disable the Zeus botnet.  And finally, it apparently installs a rootkit in the master boot record (MBR) of the BIOS, effectively hiding the botnet software from even the operating system!  I remember last summer when I helped my son build his PC from components, we accidentally installed a BIOS application that came with the motherboard software – it was so difficult to find and deactivate!  I can only imagine how difficult it is dealing with a rootkit installed there!

This makes me think of the fictional “Zed.Kicker” botnet in my novel, “Counting from Zero”.  It used a complicated P2P network and strong encryption.  And like TDL-4, Zed.Kicker also has a few tricks up its sleeve!

While I doubt this botnet is indestructible, it certainly is a tough customer.  The techniques and tenacity of those who battle these botnets is going to have to increase.

Leave a comment