Posts Tagged sip
On Saturday, I gave a presentation and demo of ZRTP at Hackfest 2013, organized by the Washington University in St. Louis chapter of ACM (Association of Computing Machinery) .
A group of about 60 undergrads had gathered in Urbauer 211 to learn about hacking and try it out. I gave a short presentation about ZRTP, the media path keying protocol for SRTP invented by Phil Zimmermann.
I was fortunate to serve as the editor of the ZRTP specification, which was published as RFC 6189 two years ago. I showed how ZRTP allows users to detect the presence of a MitM (Man in the Middle) attacker by checking the Short Authentication String.
Here is a PDF of my presentation.
Then I used the Jitsi open source voice, video, & chat application to demo ZRTP. Emil Ivov, founder and chief developer at Jitsi answered my ZRTP call, and we checked the SAS. The sequence of steps used to secure the voice & video session is shown in this animated GIF.
Afterwards, I gave away a copy of Counting from Zero, my technothriller that incorporates elements of ZRTP, hacking, exploits, and zero-day attacks.
We then spent the rest of the afternoon playing with Metasploit on an isolated network of virtual Windows machines. It was an interesting day. Just like at IETF meetings, the biggest excitement of the afternoon was when the cookies arrived!
Perhaps at next year’s session, we can try out VoIP hacking tools such as SIPvicious!
Today, Eric Krapf’s NoJitter published an interview with me “Where Do We Stand With SIP? An Interview with Avaya’s Dr. Alan Johnston”.
One activity is SIPNOC, the SIP Network Operators Conference. The second SIPNOC will be held this June in Herndon, Virginia. The Call for Presentations just went out. Last year’s event was excellent, and I’m really looking forward to this year’s.
The other is the SIPconnectIT interop testing events, planned for later this year. They will be modeled after the incredibly successful SIPit SIP interoperability test events, but with a focus on SIP trunking and the SIP Forum’s SIPconnect 1.1 Recommendation.
Perhaps see some of you at these events!
As 2011 draws to a close, I wanted to take a moment to thank everyone who has helped me this year. It has been an amazing year! Here’s a short list of my highlights:
– In January I gave a SIP Tutorial for the FCC staff in DC. It was a great event, and hopefully I will get another chance to do it again in 2012. The FCC has lots of VoIP and SIP work to do with the transition of the PSTN and E911 to all VoIP. Hopefully we can soon end the ridiculous subsidies for rural telephone service and instead use them to subsidized high speed Internet service for rural areas. My friend Henning Schulzrinne was just appointed Chief Technology Officer, so I know the FCC is in good hands technically. I also enjoyed giving the SIP Tutorial in Miami, Sydney, and Austin.
– In February I published my first novel, a Techno thriller about a massive attack on the Internet that gives this blog its name – Counting from Zero. Little did I know how much hacking and security stories there would be in 2011. Some have even called 2011 the Year of the Hactivist, which is hard to argue with. Overall, I couldn’t be happier with the response to the book. Thank you do much to anyone who has read, reviewed, tweeted, or blogged about it – I am very grateful. Look for more book news in early 2012…
– In March I participated in my first robotics competition. The experience was amazing, and I look forward to the start of another build season in just over a week!
– In April, the ZRTP VoIP media security protocol was published as an RFC by the IETF, after 6 years of hard work. Editing this document is my small contribution to making the Internet more secure. Here’s to more adoption and deployment in 2012.
– In May the RTCWEB Working Group was chartered by the IETF. The work is progressing slowly but steadily. I expect more progress in 2012, and hope for some strong security to be built into the protocols – lets show that we have learned something over the years…
– In June, I participated in the first ever SIP Network Operators Conference or SIPNOC for short. It was a great success and really shows how SIP has grown up. I am privaleged to have another term on the Board of Directors of the SIP Forum. With the publication of SIPconnect the SIP Trunking recommendation, the business use of SIP continues to grow and expand.
– In November, I has my first experience as a cricket coach. My son started the Priory Amateur Cricket Association or PACA as a club at his school. It has been a blast so far helping the boys learn the basics of cricket. They have done a great job, although we need to reduce the number of no balls! In 2012 we plan to play a one day match against a local cricket club.
So, here’s to 2011 – it was definitely an interesting year! I hope it was a good one for you and yours. Here’s to 2012!
One area of application is WebRTC, the work to enable real-time communications services in web pages. One approach that has been discussed in both the IETF and W3C is to use Websockets to open a new connection between the browser and web server, and run a signaling, presence, or instant messaging protocol over it. For example, it had been proposed to run SIP, Session Initiation Protocol, this way.
A few months ago I blogged about WebRTC and SIP, and argued that SIP should not be standardized by WebRTC, as had been proposed back then. I still believe this is correct, and recent work in the IETF has centered around instead standardizing some kind of offer/answer media negotiating protocol, but leave the choice of signaling protocol open.
Recently a new Internet Draft was submitted on a Websocket transport for Session Initiation Protocol. I think this is a potentially useful approach and could be a good way to utilize SIP in conjunction with WebRTC. The draft is still in it’s early days, and has not yet been adopted by the SIPCORE Working Group yet, but I think it is a great start. SIP developers who are interested in the WebRTC effort should read this draft and support this work.
In the meantime, it is great to see WebSocket finally published as an RFC, something I hope to see happen to a few of my Internet Drafts in the new year!
If you are interested in WebRTC, you might like my new book “WebRTC: PIs and RTCWEB Protocols of the HTML5 Real-Time Web”
I spent all last week in Austin, Texas at the Internet Telephony Expo, ITEXPO conference. In addition to giving the SIP and RTCWEB Tutorial and having a board meeting of the SIP Forum, I moderated a security panel at the 4th Generation Wireless Evolution 4GWE conference. It was a great panel, with Patricia Steadman, CEO of Telesecret,a company founded by Phil Zimmermann to commercialize the ZRTP media security protocol, and a good friend and former colleague from Avaya, Andy Zmolek from LG Electronics.
As I enjoyed the cool and damp weather back in St. Louis (the opposite end of the weather spectrum from last week!), I was elated to discover that my novel “Counting from Zero” was ranked #12 on Amazon’s Computer Network Security sales list! (Of course, this ranking changes minute-by-minute, so it might very well be ranked a bit lower when you read this.) I mark this as yet another milestone with this book, my first attempt at fiction. To have it doing so well in a ranking filled with security text books is very exciting!
I was also thrilled to see two other books I greatly admire ranked just above me at #7 and #9: The Art of Deception: Controlling the Human Element of Security and The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers by Kevin Mitnick and William Simon: I use both these books as references in my book. I was thinking of Kevin all last week during my travels as I finished reading his newly released memoir Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker. It was an amazing read, and I highly recommend it. Maybe I’ll post a full review here one day soon.
My original goal with “Counting from Zero” was to teach the fundamentals of computer and Internet security, but to do it in a non-traditional way. I had written one other book on security, “Understanding Voice over IP Security”. Its sales have not been great, compared to some of my other SIP and VoIP books. One reason is perhaps that security books tend to be dry, and a little theoretical, not well-connected with real life. In “Counting from Zero” I tried to invent a plot that would not only teach security, but help motivate it. I set out to create a character, Mick O’Malley, who would initially seem over-the-top in his security, but have the subsequent action and events make him seem more normal, and the rest of us who barely give security a thought the strange ones.
I have greatly enjoyed the reviews of the book, and those complementing my characters, writing, plot, etc. But I enjoy hearing the most that a reader learned something from the book.
If you have an interest in Internet or computer network security, my book will help explain some basic concepts and help motivate the topic. If you have ready my book (thank you!) and learned something useful from it (fantastic!), I’d love to hear from you…
SIP, or Session Initiation Protocol, is used on the Internet for making phone calls. In technical terms, it is a signaling protocol.
I was involved very early in the development of SIP. It was my introduction to the world of open Internet standards, something I believe very strongly in. Let me explain.
In the early days of computers, everything was proprietary, which in thus situation means that it was unique and different for every brand and type of computer. As hard as it is to imagine today, there wasn’t even a common standard for representing characters – a simple text document would have to be converted in order to display correctly (some examples, for those of you interested were EBCIDIC, Baudot, and ASCII – which became the standard?). The same was true for networking – each manufacturer had their own protocols and interfaces – it was virtually impossible (by design) to connect them together.
Fortunately we have come a long way since then, and the Internet, with its open standards helped a lot. I’ve enjoyed working on open standards with the Internet Engineering Task Force or IETF for quite a few years now.
SIPconnect is a great example developed by a not-for-profit that I am proud to be involved with, the international SIP Forum. SIPconnect is a standard that helps connect a telephone network with a business phone system, known as a PBX in the business, when the connection is made over the Internet instead of old fashioned wires and leased lines. It isn’t very exciting but it solves an important problem for both service providers and businesses. In short, it does what a standard does best, and works behind the scenes to reduce costs and increase efficiency.
Here is good article by Russell Bennet entitled “Finally, a SIP Trunking Standard that Makes Sense” which gives some good background on PSTN Trunking and SIP Trunking with SIPconnect.
Unfortunately, there are lots of examples today where standards are not being followed, and single-company, proprietary systems are in use. Some of the most prominent examples relate to some of the most popular hand held and personal electronic devices used by many people (including myself!)
But standards are always evolving, and business models change – today’s successful proprietary lock in is replaced by next year’s standard. Technology is both fast moving and fast changing.
For today, I’m happy to celebrate the publication of this SIP document and remember all my friends and colleagues who have worked so hard on it over the years!
As we jokingly say as we raise our glasses, “SIP, SIP!”
RFCs or Request For Comments are the publications about how the technical details of how Internet works. They go all the way back to the earliest days of the ARPANET, used to share information among a small group of researchers. RFCs are published by the RFC Editor and cover Internet fundamentals such as TCP, IP, and SMTP. My first RFC was one for Session Initiation Protocol or SIP which was published as RFC 3261. Since then, I have published 14 others, but I’m most proud of this one.
ZRTP is a security protocol for providing privacy for VoIP calls over the Internet. It was invented by Phil Zimmermann, who invented PGP (Pretty Good Privacy) for email encryption in the 90’s. When I met him in 2005, he had an idea how to encrypt voice calls and some very rough prototype code. I helped him turn it into a protocol, and wrote the outline of the document that was published today. I’ve been the editor of this document for the past 5 years.
I think ZRTP is the best way to secure voice and video over the Internet. The reasons are a bit technical, but perhaps I’ll attempt explain why in another post. In the meantime, Phil Zimmermann’s Zfone Project web page has some good points in it.
Oh, and there is one other reason why I’m proud of this document – I came up with the name ZRTP. RTP stands for Real-time Transport Protocol. And of course, Z stands for Phil! It was a joke at first, but it kind of stuck.
ZRTP even makes an appearance in my techno thriller novel, Counting from Zero. The protagonist, Mick O’Malley uses ZRTP to ensure that all his voice and video communication is private, thwarting those who would like to wire tap his communications.
It has been a lot of work getting this RFC published, and I’m quite proud of the work. And over the years, I’ve become good friends with Phil, which is a real bonus.
Today I’m going to have a mini celebration – happy first birthday ZRTP, RFC 6189!
I came across this article the other day thanks to my friend Olle, who’s blog “VoIP Forum – Open Source and Open Standards in IP Communications” is often filled with interesting information about my industry.
It is entitled “A Distributed Cracker for VoIP” and it is a real life example of how some of my interests are coming together. The article mentions a botnet (short for a robot network – a collection of ‘zombie’ computers that have been taken over by someone), P2P (peer-to-peer) message routing, and VoIP (Voice over Internet Protocol – putting voice and phone calls over the Internet). And BTW, “cracker” doesn’t refer to the food, it means a password cracker or breaker.
If you have read or heard about my new techno thriller Counting from Zero, all these topics will be familiar, as they all form part of the plot in the book! The additional thing this article adds is a mention of SIP or Session Initiation Protocol, which really brings it all together for me! For a hint why, check out my Author Page at Amazon…
My professional life over the past 13 years or so has revolved around SIP. SIP is an Internet protocol – a way that computers establish voice, video, or other sessions over the Internet for communication. It has been widely adopted in Voice over IP (VoIP) and also in video conferencing services. Most telephone companies today are deploying Internet Protocol (IP) networks and running SIP over it to carry phone calls. For the past 10 years or so, my home has never been without a “SIP Phone” on my desk. A SIP Phone looks like a normal telephone, with a handset, a keypad, and a ringer, but instead of plugging into a telephone jack, it has an Ethernet jack and plugs into the Internet! Wherever on the Internet I plug in the phone, it has my identity and I can place and receive phone calls.
Above is a picture of a SIP phone made by my employer, Avaya, which is used in corporate offices. Many of you will recognize the Cisco phones that have become the staple telephone prop in television and movies – these phones are all VoIP phones, and many are also SIP phones.
The blog post “A Distributed Cracker for VoIP” is about a botnet with P2P routing that uses zombie computers to discover and attack SIP VoIP phones and systems (known as a PBX or Private Branch Exchange) by trying to guess the passwords. And the results are sent back to a shadowy command and control center for the botnet. I’m sure there will be more and more of this in the future.
Interesting how various interests can come together like this – something that happens a lot with the Internet.
I started writing Counting from Zero about a year ago on a high speed train heading out of Tokyo – sound familiar?
The book was really born much earlier. I had previously written four technical books and enjoyed the experience greatly. But the subject matter, Session Initiation Protocol or SIP, was extremely narrow and technical, and so not of interest to very many people. I had been thinking for a while about writing a book for a wider audience, and I was thinking along the lines of Internet security. Then I got the idea of trying to incorporate some useful technical information into a work of fiction.
I had written various pieces of fiction over the years, but just for my family and friends. (There are a few Star Trek fanfic stories out there that hopefully will never find their way to the Internet!) Instead of thinking about the plot, I first thought about the characters. This was a lot of fun! Once I felt like I knew Mick, Kat, Lars, Gunter, and Liz, I started getting ideas about situations I wanted to put them in, and the plot began to take shape. I re-read some of my favorite authors such as Jane Austen, Neal Stephenson, and Mark Twain for inspiration. At the suggestion of my best friend from high school, Steve George, I added the Security and Other Lies blog chapter interludes. The book slowly took shape.
I wrote most of the book while traveling: on airplanes, in hotel rooms, in airports, and on trains. I have spent time in nearly every setting of the book.
Then, I reached that place of decision: what to do with the Counting from Zero manuscript once I had a draft complete. Next time I’ll talk about how I became an eBook publisher.