Category: Asterisk

Nov 23

Video and Slides Now Available For My AstriCon 2015 Keynote: Open Source and The Global Disruption of Telecom

If you're interested in what I said last month at AstriCon 2015 in my keynote on "Open Source And The Global Disruption of Telecom: What Choices Will We Make?", the video and slides are both available.

As I wrote about previously, the context for this discussion was to talk about the changes that are happening all around us in terms of the ways in which we communicate. Here was the abstract:

There is a battle raging for the global future of telecommunications and the Internet. Taking place in networks, board rooms and legislatures, the battle will determine how we all communicate and what opportunities will exist. Will telecom support innovation? Will it be accessible to all? Will it give us the level of security and privacy we need to have the open, trusted Internet? Or will it be restricted and limited by corporate or government gatekeepers?

The rise of voice-over-IP has fundamentally disrupted the massive global telecommunications industry, infrastructure and policies. Open source software such as Asterisk has been a huge driver of that disruption and innovation.. but now what? What role do platforms such as Asterisk play in this space? And what can be their role in a telecom infrastructure that is now mobile, increasingly embedded (Internet of Things) and more and more using proprietary walled gardens of communication?

How well I delivered on that will be up to you to decide... but I felt good about how it all came out and received many great comments and feedback throughout the rest of the event and afterwards. And, as a speaker I could see from the crowd (about 500-ish people) that they were NOT looking down into their smartphones or laptops... which is always a good sign! ;-)

A key point of what I aimed to do was to bring people up to a higher level to think about how their own actions fit into the broader context of what is happening in the world today.

It was fun to do! And I loved all the questions I was getting after that. My goal was to make people think... and it seemed that at least for some I did.

My part of the video starts after 15 minutes of introductory items (this was the opening of the event), so if you watch in the embedded video below you'll need to move forward to the 15:00 mark. You can also follow this direct link to the start of my segment with an introduction to me from Mark Spencer, the creator of Asterisk.

(And yes, this was the first time I had ever given a presentation wearing a ponytail in the long hair experiment I've been trying this year... I'm still not 100% sure I'm going to keep this style. This may be the first and only presentation you see with me like this.)

Unfortunately, the video only shows me talking on stage and doesn't show the slides I was using... so you don't understand what I'm talking about when I reference the slides.

I've posted the slides to my SlideShare account but as you'll see without the video or audio they aren't of much value. This was a wonderful opportunity for me to present in the very minimalist style I prefer where I only use images or a few words - and I thoroughly enjoyed doing so.

However, syncing the slides to the video is not something you'll probably find easy. At some point perhaps I'll create another video showing both my speaking and the slides... but I don't know that it will happen anytime soon.

Meanwhile, here they are...

Some of the links I reference in the presentation include (in the order of their appearance):

If you enjoyed this presentation and would like to have me potentially speak at your event, please do contact me. I've been speaking for many years and very much enjoy giving these kind of presentations at all types of events.

Sep 30

Keynote at AstriCon on Oct 14: Open Source And The Global Disruption Of Telecom – What Choices Will We Make?

Astricon danyork 660px

Two weeks from today I'll be in Orlando giving the opening keynote address at AstriCon 2015. The abstract of the session is:

Open Source And The Global Disruption Of Telecom - What Choices Will We Make?

Wednesday, October 14th, 2015 - 9:00 am to 9:45 am - Pacifica Ballroom 7

There is a battle raging for the global future of telecommunications and the Internet. Taking place in networks, board rooms and legislatures, the battle will determine how we all communicate and what opportunities will exist. Will telecom support innovation? Will it be accessible to all? Will it give us the level of security and privacy we need to have the open, trusted Internet? Or will it be restricted and limited by corporate or government gatekeepers?

The rise of voice-over-IP has fundamentally disrupted the massive global telecommunications industry, infrastructure and policies. Open source software such as Asterisk has been a huge driver of that disruption and innovation.. but now what? What role do platforms such as Asterisk play in this space? And what can be their role in a telecom infrastructure that is now mobile, increasingly embedded (Internet of Things) and more and more using proprietary walled gardens of communication?

Join the Internet Society's Dan York in an exploration of what the future holds for telecom infrastructure and policy - and how the choices we make will determine that future.

Sounds great, eh?

Now I just have to deliver on that lofty rhetoric! :-)

Seriously, though, I'm very much looking forward to giving this presentation and I'm delighted that the folks at Digium asked me to speak. We're at a critical time in the evolution of our global communications infrastructure... with everything moving to IP and also moving to mobile, there are incredibly important choices we have to make for our future.

In the talk, I'll be speaking about the scenarios we have for what our future Internet could look like. I'll be talking about the role of open source. I'll be challenging the audience with some questions to ponder. I'll touch on some of the incredibly important - yet hard to understand - global policy issues such as the upcoming WSIS+10 Review in December - and why an open source developer should even remotely care! I'll of course hit on security issues and the rise of mobile... and more...

I'm excited!

I'm also excited to finally attend an AstriCon event. I used to write about Asterisk a good bit and for a while was running my own server in my home office for VoIP... but in all that time I never was able to work in attending an AstriCon!

If you are going to be there in Orlando, please do say hello! (There's still time to register!)

P.S. And yes, Olle Johansson, I'll be sure to work in at least one reference to IPv6! And TLS, too! Don't worry! :-)

Nov 21

7 Asterisk VoIP Security Advisories Issued

Asterisk logoThe Digium / Asterisk Security Team has obviously been extremely busy ensuring that Asterisk is as secure as possible given that yesterday they released 7 security advisories, although only one of them (AST2014-16) was rated as “Critical”.  The others are rated as “Moderate” or “Minor” – but still are good reasons to upgrade to the latest versions of Asterisk.  The list of advisories is:

The issues are all fixed in the latest versions of Asterisk:

  • Asterisk Open Source 1.8.32.1, 11.14.1, 12.7.1, 13.0.1
  • Certified Asterisk 1.8.28-cert3, 11.6-cert8

Kudos to the Digium/Asterisk Security Team for the work they do in keeping Asterisk secure – and also for their openness in reporting the issues publicly!

Aug 30

2 Asterisk Security Vulnerabilities Could Lead To Remote Crashes

Asterisk logoThe great folks on Digium’s security team published two security advisories this week that could lead to remote crashes of an Asterisk server.

The first, AST-2013-004, Remote Crash From Late Arriving SIP ACK With SDP, has this description:

A remotely exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is received after the channel has been terminated. The handling code incorrectly assumes that the channel will always be present.

The second, AST-2013-005, Remote Crash when Invalid SDP is sent in SIP Request, has this description:

A remotely exploitable crash vulnerability exists in the SIP channel driver if an invalid SDP is sent in a SIP request that defines media descriptions before connection information. The handling code incorrectly attempts to reference the socket address information even though that information has not yet been set.

My one critique of the security advisories is that they don’t contain any “mitigating circumstances” that explain the circumstances under which the vulnerabilities could be exploited. For instance, it would seem from reading the documents that at least in the first case there would need to be a successful SIP connection established first – and then ended – before the packet could be received that would cause the crash. Unfortunately I don’t personally know Asterisk’s internals well enough to comment on that.

Regardless, the fix here is to upgrade to the latest versions of Asterisk as documented in the security advisories.

Kudos to the Digium folks for issuing these advisories and continuing their clear process of letting people know about security within Asterisk.

Apr 25

Digium Releases 3 Asterisk Security Advisories

Asterisk logoThis week Digium released three security advisories allowing remote authenticated sessions to either crash an Asterisk server or escalate user privileges.  The advisories are:

In all cases the solution is to upgrade to the latest releases of Asterisk Open Source (1.6.2.24, 1.8.11.1 or  10.3.1 ) or Asterisk Business Edition (C.3.7.4).

 

Feb 01

Are They Crazy? Digium Enters The Phone Game With Asterisk IP Phones

DigiumphonesWhen I first saw the news today, my immediate reaction was:
Seriously? Digium is coming out with phones???
In a rather fascinating move in an already extremely crowded market, Digium announced today that they will be producing "Digium Phones", a new line of IP phones specifically targeted at users of Asterisk and Switchvox (both Digium products). They tout among the benefits:
  • Crystal clear HD Voice
  • Simple setup and installation
  • Tightest integration with Asterisk
  • Built-in & custom applications
  • A built-in "app engine" JavaScript API

There will be three models available:

  • D40—An entry-level HD IP phone with 2-line keys. Priced at $149.
  • D50—A mid-level HD IP phone with 4-line keys and 10 quick dial/BLF keys with paper labels. Priced at $179.
  • D70—An executive-level HD IP phone with 6-line keys and 10 quick dial/BLF keys on an additional LCD screen. Priced at $279

The news release indicates they will be available in April and are currently on display at ITEXPO this week down in Miami. A datasheet is available

Application Platform

What is perhaps most interesting to me is the "app engine" included in the phone. From the news release:

Digium phones include an app engine with a simple yet powerful JavaScript API that lets programmers create custom apps that run on the phones. They aren’t simply XML pages; Digium phone apps can interface directly with core phone features.

Many IP phone vendors have tried various systems like this to let developers build more apps into the phone with varying degrees of success. What makes Digium different, though, is that it comes from the developer community. The history of people working with Asterisk is the history of tinkering and hacking away on the systems. In fact, in the early days, that was all you could do. No fancy GUIs... just configuration files and cryptic APIs. As a result, Digium has a very strong developer community (they claim 80,000+ developers) who just may be able to make use of this new API.

What remains to be seen is what kind of applications you can really build with these phones - and how easy it is to install and or use these apps.

Are They Crazy?

But are they crazy for entering the already insanely-crowded IP phone market? Particularly at a time when enterprise smartphone usage is increasing - and may often be the preferred communication medium? And when people are becoming increasingly comfortable with softphones, courtesy largely of Skype and "Unified Communications" desktop apps like Microsoft Lync and similar apps from Cisco, Avaya, Siemens, IBM and more?

I completely understand that Digium would want to make the Asterisk "user experience" much easier and simpler. Particularly as Digium continually seeks to move beyond their traditional more developer-centric audience into businesses and enterprises. Many of those folks want a system that "just works." If they can order a system from Cisco or Avaya that comes complete with the IP PBX, IP Phones, etc. and it all just works, they may choose that over a less-expensive but harder-to-put-together solution using Asterisk.

As these new Digium IP phones are "designed exclusively for Asterisk and Switchvox," they should remove that pain and make it much simpler to get an Asterisk solution up and running. (Side note: Does this "designed exclusively" phrase mean they won't work with other systems? Or just that they work better with Asterisk? UPDATE: Digium's Kevin Fleming answered in the comments - the phones are SIP phones that will work with any system for basic features.)

Still, the IP phone space is incredibly crowded. One vendor of VoIP products, VoIPSupply.com, lists 382 results for IP phones. A quick scan of that list will show you names like Polycom, Snom, Grandstream and Aastra, all of whom have been typical phones used with Asterisk-based systems. (As well as Cisco, Avaya and other more "traditional" telecom players.)

What will these new direct-from-Digium IP phones do to the relationships with those other IP phone vendors?

Much of Digium's early business was with PSTN gateway cards that you could install into your computer. With much of that market moving entirely over to SIP trunking or SIP-based gateways, is the IP phone line designed primarily to replace that fading revenue line? Or to simply provide another revenue source for the company - perhaps at the expense of partners?

And what is the state of the market for IP phones, anyway? Analyst firm Frost and Sullivan says the market for SIP phones will continue growing and NoJitter's Eric Krapf has reported that IP phone vendors are seeing strong growth.

Still, with the "consumerization of IT" and the "bring-your-own-device" movement as people want to use their iPhones, Android phones, iPads, tablets, etc., it seems a curious move to launch a brand new line of IP phones.

However, Digium - and Asterisk - hasn't gotten to where it is by following the conventional wisdom. If anyone can carry off the launch of a new IP phone line, they may be able to do it. It will certainly be interesting to see where this takes them.

A new IP phone line... in 2012?

I would never have thought I'd be writing about that.

What do you think? Crazy move? or smart?

If you found this post interesting or useful, please consider either:

Oct 17

Asterisk Remote Crash Vulnerability in SIP Channel Driver

Asterisk

The folks over at the Digium security team today released security bulletin AST-2011-012 for a remote crash vulnerability in the SIP channel drive. For info about the attack, they state only:

A remote authenticated user can cause a crash with a malformed request due to an uninitialized variable.

An assumption from this statement would be that an UNauthenticated user could not carry out this attack… but I admit to not personally knowing the SIP channel driver of Asterisk enough to be able to stand behind this conclusion.

Regardless, updates have been released in the form of new versions 1.8.7.1 and 10.0.0-rc1.