[Freeswitch-users] [Special Announcement] ClueCon Weekly Special Security Edition! Wed Oct 23rd @ 1PM Eastern

Cal Leeming [Simplicity Media Ltd] cal.leeming at simplicitymedialtd.co.uk
Thu Oct 24 19:44:59 MSD 2013 

This is one of the concepts I'd raised yesterday, generating a nonce using
a unique value that only the vendor and the phone knows (i.e. a serial
number, or in future phones, TPM/RSA module). However if the keys are ever
compromised, then this would be rendered useless. Encryption is also good,
but relies on a strong password which is difficult to type in on a phone
and removes the concept of zero touch.

To be honest, I don't think zero touch is going to be feasible if we want
to keep security, because you are trusting that the keys stored at <vendors
provisioning system here> haven't been compromised. One touch would be a
much better solution (there have been some great suggestions on that so
far).

Cal


On Thu, Oct 24, 2013 at 4:17 PM, Moishe Grunstein <max at nysolutions.com>wrote:

> I wonder if Yealink phones have a certificate that can verify the MAC
> address being provisioned, the way the newer Snom do.****
>
>
> http://wiki.snomone.com/index.php?title=Plug_and_Play_for_snom_phones#Pairing_the_phone_with_snom_ONE
> ****
>
> ** **
>
> ** **
>
> ** **
>
> Thanks,****
>
> ** **
>
> Moishe Grunstein****
>
> Tornado Computer Systems, Inc.****
>
> 212.400.7650 888.IPPBX.US
> *Service Request Email: support at nysolutions.com *****
>
> Polycom Certified VAR
> Microsoft Small Business Specialist, Cisco SMB Select Certified****
>
> [image: cid:image001.jpg at 01C72F94.9EE45D60] <http://www.nysolutions.com/>*
> ***
>
> Computer Networking * Managed Services * IP Video Surveillance * Network
> Assessments * Web Solutions * Voice over IP * Disaster Recovery * Network
> Security * Site Surveys * CMS****
>
> ** **
>
> *From:* freeswitch-users-bounces at lists.freeswitch.org [mailto:
> freeswitch-users-bounces at lists.freeswitch.org] *On Behalf Of *Moshe3t
> *Sent:* Thursday, October 24, 2013 10:47 AM
> *To:* FreeSWITCH Users Help
> *Subject:* Re: [Freeswitch-users] [Special Announcement] ClueCon Weekly
> Special Security Edition! Wed Oct 23rd @ 1PM Eastern****
>
> ** **
>
> Hi
>
> I would suggest (I have Bcc'd Yealink as well) that as they have when a
> phone is reset to factory default it pops up on the screen of the phone
> local network option (DHCP/Static) and modifiable via phone keypad it
> should also ask encrypted provisioning or not and if encrypted is chosen it
> should let the end user put in the decryption key via phone keypad which
> will be available on the website of the provisioning server (assuming the
> its secure as in most cases might hold sip credes as well)  so the end user
> will be able to setup and auto provision their phone without login to the
> phone web gui (ok! it won't zero touch it will be 1 touch provisioning, as
> if the doesn't have to touch the phone at all ;-) )
>
> before submitting this approach to any vendors i would like to hear input
> and make sure the issue is addressed properly and hear if anyone have a
> better approach to fix this issue globally (at least with Yealink line
> ofproduct  as they seem to be very cooperative and understanding in general
> especially when it comes to security, in hopes other companies will follow
> suit)
>
> Sincerely
>
>
> Moshe BT
>
>
>
>
> On 10/24/2013 10:05 AM, Ken Rice wrote:****
>
> The video has been marked private at vendor request...
>
>
> On 10/24/13 2:11 AM, "Gerald Weber" <gerald.weber at besharp.at> wrote:****
>
> Thanks, but youtube says this video is private.
>
> *Von:* freeswitch-users-bounces at lists.freeswitch.org [
> mailto:freeswitch-users-bounces at lists.freeswitch.org<freeswitch-users-bounces at lists.freeswitch.org>]
> *Im Auftrag von *Cal Leeming [Simplicity Media Ltd]
> *Gesendet:* Mittwoch, 23. Oktober 2013 23:38
> *An:* FreeSWITCH Users Help
> *Cc:* freeswitch-dev at lists.freeswitch.org;
> freeswitch-cluecon at lists.freeswitch.org
> *Betreff:* Re: [Freeswitch-users] [Special Announcement] ClueCon Weekly
> Special Security Edition! Wed Oct 23rd @ 1PM Eastern
>
>
> For those that missed it, you can watch the whole thing here;
>
> http://www.youtube.com/watch?v=raXkHi_uGF8****
>
> *
> *--
> Ken
> http://www.FreeSWITCH.org
> http://www.ClueCon.com
> http://www.OSTAG.org
> G+ ClueCon :    http://fs0.us/cluecon-gplus
> FB ClueCon :    http://fs0.us/cluecon-fb
> G+ FreeSwitch : http://fs0.us/freeswitch-gplus
> FB FreeSWITCH : http://fs0.us/freeswitch-fb
> Twitter : @FreeSWITCH_WIRE
> irc.freenode.net #freeswitch
>
>
>
> ****
>
> _________________________________________________________________________****
>
> Professional FreeSWITCH Consulting Services:****
>
> consulting at freeswitch.org****
>
> http://www.freeswitchsolutions.com****
>
> ** **
>
> ****
>
> ****
>
> ** **
>
> Official FreeSWITCH Sites****
>
> http://www.freeswitch.org****
>
> http://wiki.freeswitch.org****
>
> http://www.cluecon.com****
>
> ** **
>
> FreeSWITCH-users mailing list****
>
> FreeSWITCH-users at lists.freeswitch.org****
>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users****
>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users****
>
> http://www.freeswitch.org****
>
> ** **
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20131024/048f598e/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2424 bytes
Desc: not available
Url : http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20131024/048f598e/attachment-0001.jpe

Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list