[Freeswitch-users] [Special Announcement] ClueCon Weekly Special Security Edition! Wed Oct 23rd @ 1PM Eastern

Nathan Neulinger nneul at mst.edu
Thu Oct 24 20:22:32 MSD 2013 

Polycom has something like that functionality in current firmware - but I believe if you _upgrade_ to a current 
firmware, it doesn't work - it only works if it had that newer key installed in the factory image.

-- Nathan

On 10/24/2013 10:44 AM, Cal Leeming [Simplicity Media Ltd] wrote:
> This is one of the concepts I'd raised yesterday, generating a nonce using a unique value that only the vendor and the
> phone knows (i.e. a serial number, or in future phones, TPM/RSA module). However if the keys are ever compromised, then
> this would be rendered useless. Encryption is also good, but relies on a strong password which is difficult to type in
> on a phone and removes the concept of zero touch.
>
> To be honest, I don't think zero touch is going to be feasible if we want to keep security, because you are trusting
> that the keys stored at <vendors provisioning system here> haven't been compromised. One touch would be a much better
> solution (there have been some great suggestions on that so far).
>
> Cal
>
>
> On Thu, Oct 24, 2013 at 4:17 PM, Moishe Grunstein <max at nysolutions.com <mailto:max at nysolutions.com>> wrote:
>
>     I wonder if Yealink phones have a certificate that can verify the MAC address being provisioned, the way the newer
>     Snom do.____
>
>     http://wiki.snomone.com/index.php?title=Plug_and_Play_for_snom_phones#Pairing_the_phone_with_snom_ONE____
>
>     __ __
>
>     __ __
>
>     __ __
>
>     Thanks,____
>
>     __ __
>
>     Moishe Grunstein____
>
>     Tornado Computer Systems, Inc.____
>
>     212.400.7650 <tel:212.400.7650> 888.IPPBX.US <http://888.IPPBX.US>
>     *Service Request Email: support at nysolutions.com <mailto:support at nysolutions.com> *____
>
>     Polycom Certified VAR
>     Microsoft Small Business Specialist, Cisco SMB Select Certified____
>
>     cid:image001.jpg at 01C72F94.9EE45D60 <http://www.nysolutions.com/>____
>
>     Computer Networking * Managed Services * IP Video Surveillance * Network Assessments * Web Solutions * Voice over IP
>     * Disaster Recovery * Network Security * Site Surveys * CMS____
>
>     __ __
>
>     *From:*freeswitch-users-bounces at lists.freeswitch.org <mailto:freeswitch-users-bounces at lists.freeswitch.org>
>     [mailto:freeswitch-users-bounces at lists.freeswitch.org <mailto:freeswitch-users-bounces at lists.freeswitch.org>] *On
>     Behalf Of *Moshe3t
>     *Sent:* Thursday, October 24, 2013 10:47 AM
>     *To:* FreeSWITCH Users Help
>     *Subject:* Re: [Freeswitch-users] [Special Announcement] ClueCon Weekly Special Security Edition! Wed Oct 23rd @ 1PM
>     Eastern____
>
>     __ __
>
>     Hi
>
>     I would suggest (I have Bcc'd Yealink as well) that as they have when a phone is reset to factory default it pops up
>     on the screen of the phone local network option (DHCP/Static) and modifiable via phone keypad it should also ask
>     encrypted provisioning or not and if encrypted is chosen it should let the end user put in the decryption key via
>     phone keypad which will be available on the website of the provisioning server (assuming the its secure as in most
>     cases might hold sip credes as well)  so the end user will be able to setup and auto provision their phone without
>     login to the phone web gui (ok! it won't zero touch it will be 1 touch provisioning, as if the doesn't have to touch
>     the phone at all ;-) )
>
>     before submitting this approach to any vendors i would like to hear input and make sure the issue is addressed
>     properly and hear if anyone have a better approach to fix this issue globally (at least with Yealink line ofproduct
>     as they seem to be very cooperative and understanding in general especially when it comes to security, in hopes
>     other companies will follow suit)
>
>     Sincerely
>
>
>     Moshe BT
>
>
>
>
>     On 10/24/2013 10:05 AM, Ken Rice wrote:____
>
>         The video has been marked private at vendor request...
>
>
>         On 10/24/13 2:11 AM, "Gerald Weber" <gerald.weber at besharp.at <http://gerald.weber@besharp.at>> wrote:____
>
>         Thanks, but youtube says this video is private.
>
>         *Von:*freeswitch-users-bounces at lists.freeswitch.org <http://freeswitch-users-bounces@lists.freeswitch.org>
>         [mailto:freeswitch-users-bounces at lists.freeswitch.org] *Im Auftrag von *Cal Leeming [Simplicity Media Ltd]
>         *Gesendet:* Mittwoch, 23. Oktober 2013 23:38
>         *An:* FreeSWITCH Users Help
>         *Cc:* freeswitch-dev at lists.freeswitch.org <http://freeswitch-dev@lists.freeswitch.org>;
>         freeswitch-cluecon at lists.freeswitch.org <http://freeswitch-cluecon@lists.freeswitch.org>
>         *Betreff:* Re: [Freeswitch-users] [Special Announcement] ClueCon Weekly Special Security Edition! Wed Oct 23rd @
>         1PM Eastern
>
>
>         For those that missed it, you can watch the whole thing here;
>
>         http://www.youtube.com/watch?v=raXkHi_uGF8____
>
>         _
>         _--
>         Ken
>         http://www.FreeSWITCH.org
>         http://www.ClueCon.com
>         http://www.OSTAG.org
>         G+ ClueCon : http://fs0.us/cluecon-gplus
>         FB ClueCon : http://fs0.us/cluecon-fb
>         G+ FreeSwitch : http://fs0.us/freeswitch-gplus
>         FB FreeSWITCH : http://fs0.us/freeswitch-fb
>         Twitter : @FreeSWITCH_WIRE
>         irc.freenode.net <http://irc.freenode.net> #freeswitch
>
>
>
>         ____
>
>         _____________________________________________________________________________
>
>         Professional FreeSWITCH Consulting Services:____
>
>         consulting at freeswitch.org  <mailto:consulting at freeswitch.org>____
>
>         http://www.freeswitchsolutions.com____
>
>         __  __
>
>         ____
>
>         ____
>
>         __  __
>
>         Official FreeSWITCH Sites____
>
>         http://www.freeswitch.org____
>
>         http://wiki.freeswitch.org____
>
>         http://www.cluecon.com____
>
>         __  __
>
>         FreeSWITCH-users mailing list____
>
>         FreeSWITCH-users at lists.freeswitch.org  <mailto:FreeSWITCH-users at lists.freeswitch.org>____
>
>         http://lists.freeswitch.org/mailman/listinfo/freeswitch-users____
>
>         UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users____
>
>         http://www.freeswitch.org____
>
>     __ __
>
>
>     _________________________________________________________________________
>     Professional FreeSWITCH Consulting Services:
>     consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>     http://www.freeswitchsolutions.com
>
>     
>     
>
>     Official FreeSWITCH Sites
>     http://www.freeswitch.org
>     http://wiki.freeswitch.org
>     http://www.cluecon.com
>
>     FreeSWITCH-users mailing list
>     FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>     http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>     UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>     http://www.freeswitch.org
>
>

-- 
------------------------------------------------------------
Nathan Neulinger                       nneul at mst.edu
Missouri S&T Information Technology    (573) 612-1412
System Administrator - Architect

Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list