Back story to VoIP security release

	Jon Crowcroft
	University of Cambridge
	5th Feb, 2006.
This note is about the press release made by the CRN early this year. The release is available from the CRN website and is entitled: Communications experts warn of VoIP security issues (cached copy from google here

There are around 70+ technical news items reporting and commenting on this at the time of writing, that can be found via Google's news service. Most take a constructive view of what I was trying to do. Direct interactions with press (e.g. Wall St. Journal) and technical groups (e.g. VOIPAS) have also been largely positive.

This is a note to clarify what the back story behind this press release was. This is my own view, and people may differ as to details and interpretation.

I am publishing this because of adverse reaction in some quarters to the release, to try to restore some trust in the process of some of the work the CRN is engaged in in the Denial-of-Service and security area. I am going to disengage from that work for the rest of this year, to make sure people can discuss things without worrying about what I might do, mistakenly or otherwise.

I personally made this analysis of the possibility of this security problem as a result of thinking about the problem of botnet control systems. I started thinking about this properly after attending a workshop organised by OARC on the Domain Name System, in July 24/25, 2005, whose agenda is online. (Note, nothing to do with the CRN DoS working group). We were there (myself and one of my PhD students, Tim Deegan) by invitation to present work on our centralised DNS design and implementation, which is part of ongoing research in designing a more robust Internet.

At that meeting, there was a discussion of various problems in the Internet, for which DNS plays a part - In the Computer Laboratory in the University of Cambridge, we have been working on Intrusion Detection, Worm Containment and more robust DNS implementations, so all of these ideas (viz talk on Darknets) were pretty familiar to us, and some of the ways to construct an overlay that is hard to trace are common knowledge in the security research world (viz Crowds, Onion Routing, Cover Nets) as well as ways to defend services against them (viz, for example, our work on Eternity, Vigilante, Symmetry, and many others, with folks at Berkeley, Intel, Microsoft, MIT etc).

In the last DoS WG face-to-face meeting I was listening to a talk about the list of recent attacks by a member, and chatting to him afterwards, he suggested that a weakness with the DDoS work was that, like many groups, we discussed defenses against past attacks, and that we needed to think more "like the bad guys", so we would devise defenses for attacks as yet unknown. To do this, we would have to consider novel attacks ourselves. In fact, we had, to some extent, already done this in a lot of our work on worm containment and on inverse firewalls, and in general, in security work, a threat analysis is the first thing you do in working on a new mechanism. As part of due diligence, and generally for the users' confidence, it behoves us to publish this. Note that I did not formally present the idea in the DoS working group, nor had it arisen because of any discussion (e.g. threat analysis) in the DoS working group, so the issue of trust or breach of Chatham House Rule under which early DoS meetings were held is not necessarily relevant, although I can understand that people may feel that agreements we made in that group cover all academic members behaviour outside the group to. That is demonstrably incorrect (for example, it cannot cover my own work with Microsoft or Intel, or most saliently DoCoMo, some of which I couldn't discuss with DoS WG members without undertaking an NDA). More specifically, VOIP has not been any part of the DoS work either.

Subsequently, in the CRN Wireless Workshop in December, where a journalist (Peter Judge) happened to be present, I outlined the problem I'd identified, as an example of the sort of thing we should be thinking about, to get ahead of the game. The initial idea behind the writing the press release was initially to ensure that Peter got the facts right. We then realised that this was also an opportunity to promote the CRN and its work, and to show

In general, in the telecom business, I have not observed this approach, and in general, the telecom industry has a poor track record of pre-empting attacks - more of this below.

I do not mind personal attacks (viz the assertion that I made this press release as part of some self-aggrandisement), so much, even when they are patently absurd (I am sufficiently arrogant as an ex Westminster/Cambridge professor to believe that my personal fame is beyond enlargement, despite much spam advertising helpful support:).

The actual goals of this press release, which the CMI office in Cambridge, and the CRN director encouraged me to contribute (I don't know how to do a press release from Adam myself), were 4-fold:

  • 0. To ensure that the technical reporting of the problem was as correct as possible.
  • 1. The CRN is supposed to shake up the UK Telecom business and get them thinking in a multi-disciplinary 21st century way with other organisations in research including academia.
  • 2. The CRN is not very visible - increasing its visibility is generally a good thing - of course, some publicity may have a modest harmful effect - however, I don't see any evidence of this, as commented above.
  • 3. The example in this case was to show that a working group had members (me) that could think ahead, and consider novel threats architecturally. VOIP per se is not a problem - the release says that skype (and other tools that provide firewall/NAT-traversal via P2P overlays) is hard to track. It states that voice traffic relayed by skype provides cover (as do other traffic sources, but few with as much consistent cover traffic going to and from the same sources as a potential bot farm) - the solutions are also hinted at, and why these are not economically a threat to VOIP at all, and to skype or other P2P secure firewall/NAT-traversing overlays. This this threat has absolutely no bearing on 21C (or Telecom Italia's earlier all IP network) VOIP provisioning , nor have any press articles I have read inferred that at all.

    A very fine analysis of how skype works, and links to associated work on some of the consequences, has been done by Salman Abdul Baset and his advisor, Henning Schulzrinne at Columbia University in NY.

    I personally am surprised at the negative reaction from some parts, that this is a problem for CRN 's relationship with industry. especially since this reaction was made before actually doing any analysis of either what we said, or of the actual reaction in industry. The responses I have had from the VOIPAS, and other organisations have been 100% constructive, without exception. No journalist that I have spoken to has reacted the way that some local industry have. I believe this is also true of the journalists my colleagues have spoken to.

    To restate things.

  • this was my idea, not an industry WG member's report of an actual or threatened attack -
  • I am not paid by the CMI, BT or even the tax payer (my chair is endowed by Marconi). The CRN gets my services as PI for free. I have other research funding sources (actually I have virtually none of the 3M that CRN got, and BT's contribution was entirely to do with getting UCL in the loop btw). Thus things devised by me outside of CRN specific activities are not covered necessarily by agreements (e.g limitations on what we publish, or having to check with some large set of people before we publish).
  • I would have reported this idea anyhow elsewhere - using a more technical forum of course, with more analysis (which we may still do). The idea of using this channel was to promote the CRN. I'm not sorry I did it, and I believe that the net effect has been positive (as I did ahead of time or I would never have done it).

    I am, however, going to step aside from the DoS (and other security) work in the CRN completely for the rest of 2006 (which takes us to the end of our current funding). This should not be a problem since there is now a paid up WG manager, and the group has much fine work ongoing, but it does mean that the Cambridge work on Bro, inverse firewalls, worm containment, as well as new work on Bayesian re-enforcement of snort rules will have to get reported via other channels than myself.