The researchers say they implemented an attack laid out theoretically in a published paper last year. To pull off their substitution, the researchers had to generate a CA certificate and a website certificate that would produce the same MD5 hash — otherwise the digital signature wouldn’t match the modified certificate. The effort was complicated by two variables in the signed certificate that they couldn’t control: the serial number and the validity period. To do the actual math of finding the MD5 collision, they used the “PlayStation Lab,” a research cluster of about 200 PlayStation 3s wired together at the EPFL in Lausanne, Switzerland. Using the powerful processors, they were able to crunch out their forgery in about three days.

They recommend signing authorities switch to a newer encryption method and drop MD5, but such changes will take time to occur worldwide. Most certifying authorities have abandoned MD5, but some continue to use it.

Researchers Use PlayStation Cluster to Forge a Web Skeleton Key, Threat Level, Wired

“If it built even a primitive nuclear weapon like the type that destroyed Hiroshima, Iran would not hesitate to load it on a ship, arm it with a detonator operated by GPS and sail it into a vital port on the east coast of North America,” Mr Barak told a conference of the Institute for National Security Studies at Tel Aviv University. Indicating the possibility of an Israeli military strike on Iran, Mr Barak said: “We are not taking any option off the table, and we recommend to the world not to take any option off the table, and we mean what we say.”

Israel: Iran could attack US with nuclear bomb, London Telegraph

The NSA’s powerful computers became vast storehouses of “metadata.” They collected the telephone numbers of callers and recipients in the United States, and the time and duration of the calls. They also collected and stored the subject lines of e-mails, the times they were sent, and the addresses of both senders and recipients. By one estimate, the amount of data the NSA could suck up in close to real time was equivalent to one quarter of the entire Encyclopaedia Britannica per second. (The actual content of calls and e-mails was not being monitored as part of this aspect of the program, the sources say.) All this metadata was then sifted by the NSA, using complex algorithms to detect patterns and links that might indicate terrorist activity.

The battle started when Jack Goldsmith at the US Justice Department reviewed the legal justification of the program and believed it to be illegal, an opinion which continues to be debatable.

The identity of the person who called The New York Times has also been revealed. It was Thomas Tamm (also at USDOJ), who was “motivated in part by his anger at other Bush-administration policies at the Justice Department.” Newsweek calls him a “whistleblower who exposed warrantless wiretaps”. It is ironic that Tamm was disturbed by the legality of the methods of intelligence gathering, while less concerned about his own disclosure of classified information to the press. Was there really no internal mechanism for dealing with his concerns?

Now We Know What the Battle Was About, Newsweek

The Whistleblower Who Exposed Warrantless Wiretaps, Newsweek

The fact is when it comes to security if you’re using a wireless device for voice or data you might as well be standing in any international airport and speaking to a colleague over a megaphone. Oh, and you might want to slow down from time to time to let the crowd around you take notes.

Some secure equipment is currently available, but it can be expensive. The Sectéra Edge can use commercial cellular bandwidth and is certified on AT&T, T-Mobile, and Sprint cellular networks, with Verizon due in January. The device goes for $3,150 with a one-year warranty.

No such thing as mobile security?, Info World

Cybersecurity report offers Obama some far-reaching recommendations, Info World

At this point, hackers have discovered that TKIP and QOS together enable them to be a nusance to your wireless network, but it isn’t a complete hack… yet. It is something that could become a point of vulnerability, so it’s a good idea to move toward shutting down the possibility.

Basicly, turn off the TKIP protocol and use AES (CCMP protocol) and don’t use QOS (Quality of Service, a.k.a. WMM) on wireless (VoIP traffic should be connected to your wired router ports, or to put before your router). The combination of TKIP and QOS create the vulnerability, since QOS channels allow more attempts at the crack. Another way to defeat the vulnerability is to reduce the key lifetime to 11 minutes, instead of the default 60 minutes, since it takes a minimum of 12 minutes to perform the hack.

Many routers don’t have QOS, and a lot of routers and wireless devices don’t have AES. But if your equipment is new and WPA2 certified, you probably can switch to AES, and turn off TKIP protocol to be safe.

The TKIP Hack, Security Now, Episode 170

In 2005, I signed up for Broadvoice, a VoIP service that was only 14 months old at the time. They’re unlimited service was priced at $19.95, charged monthly. They also offered a BYOD (Bring Your Own Device) plan for only $5.99/mo. with a limited minutes allowance. At the time, my choice to use them was based on price, features offered, and availability of a local number. Since 2005, I have subscribed to Broadvoice three times - twice on their unlimited plan, and once on their BYOD plan. Each time, their service was comparable to cellular telephone service, with occasional loss of audio in one direction or another, total dropped calls, or loss of dial tone. It is unclear whether these early problems were caused by their system or packet loss on the internet. Their customer service is fine - most of the time they were great, but on my cancellation in 2007, they sounded displeased.

For a period of one year (2005-2006), I subscribed to Voicepulse’s unlimited plan at $24.99, billed monthly. Voicepulse was a better service with more features I liked including unavailable forwarding (essential during service outage) and customizable caller id to identify incoming calls the way I want to. The quality of Voicepulse service was similar to Broadvoice, which makes me suspect it has more to do with the internet than the individual companies. Voicepulse customer service was professional in tone as well as well as their level of technical expertise. 

In 2007, I signed up for a BYOD, no-monthly-fee service with VoipVoip. It’s an outgoing-only service which issues a 555 number (one that can not be called) and requires customers to setup an account to deposit funds in $10 increments. I only ever paid $10. It worked very well, and I had almost no quality issues. Their customer service was by email, but only needed for signup and cancellation (no technical problems to resolve).

Later in 2007, I purchased a MagicJack voip device, which plugs into a computer’s USB port and requires the computer to be up and running (not off or hybernating). MagicJack has its own peculiarities in setup to get it working just right. I bought the device and 5-years of service for around $80. For me, it’s a good second line.

In 2008, I tried ViaTalk. Their service was very good, and I particularly liked their 2-line service where the 2nd line is a clone of the first. They told me they have a 97% success rate at porting numbers, but they were unable to transfer mine saying they couldn’t confirm my address in their databases. I bought a newly built home 16 months ago.

Then in 2008, I switched back to Broadvoice. They now offer the Grandstream HT502 adapter which also worked very well with ViaTalk. Broadvoice has local numbers to me and they say they can port my existing Verizon number. My signup and number transfer request was all handled online, and my existing local number was ported in 3 business days. They are now my current provider.

Devices:

My first Voip device was a Sipura 1001 from Broadvoice, then a Sipura 2000 from Voicepulse, then a Linksys Sipura 2102-R. The Sipura 2102-R unit had the phone 1 port fail, but otherwise it worked with Broadvoice and VoipVoip. My latest devices (from ViaTalk and Broadvoice) were  Grandstream Handytone HT502s which I installed between my cablemodem and router. They worked great.

Broadband Providers:

I used Sprint DSL (now known as Embarq) and Adelphia Cable (now merged with Comcast). At 1500Mbps, DSL was probably too slow to provide adequate bandwidth for Voip and the entire household. At 3000Mbps, we did better. On cable internet, service was probably better, particularly in 2007-2008 when Comcast increased our speed even further.

Settings:

The DSL modem was blocking service after a short time (blocking Session Initiation Packets), and it was necessary to reconfigure it to bridge mode.

Setting routers to assign the Voip device to a DMZ port was never adequate. With the Voip device assigned to a fixed IP address, it was always necessary to also forward ports to the Voip device. The broadest port list included TCP on 80, and UDP on 69, 5060-5063 & 10000-20000. 

QOS (Quality of Service) is a router setting that allows the setting of traffic priority which means your Voip is less likely to loose packets due to local congestion.

SPI (Stateful Packet Inspection) is a router setting that can cause local congestion and is best disabled for Voip usage.

Some Voip devices can be installed between a broadband modem and a router, allowing it unrestricted access and negating the need for the above settings.

Call Centers:

It seems to make a difference which call center your VoIP company assigns your account to, and it isn’t necessarily the one you’re closest to. It will be the one you experience the least amount of packet congestion with. I have experienced dramatic improvements by asking them to assign me to a different call center.

Local Number Portability:

When I requested Broadvoice turn my landline phone number into a VoIP number in 2006, the process took about 3 weeks. More and more companies are now able to port customer’s numbers, even in areas where they don’t offer local numbers. Cell phone numbers are usually not transferable to VoIP.

Online Reviews:

It is difficult to tell which companies are the best in terms of technical quality or customer service. I suspect that many online reviews are written by customers blaming companies for technical problems caused by local configuration and internet congestion. Criticism is fair when equipment fails or customer service is slow, rude and/or unresponsive. Voip review sites vary widely. For example, in a search today, I find Vonage rated #1 in a magazine review while they appear the worst in customer service on another review site. They do have a lot of customers, but they also advertise a great deal.

Conclusion:

I still like the quality of landline service the best, but as more and more business and home users adopt Voip, I’m paying for quality I won’t get when connected to the VoIP of others. As VoIP continues to improve, it just makes sense to make the switch.